Rate limits and platform limits
All limits below are enforced by the Wicket platform. If your workload needs higher limits, contact support.
MCP proxy rate limit
| Property | Value |
|---|---|
| Scope | Per member key |
| Burst capacity | 60 requests (default) |
| Sustained rate | ~1 request/second (token bucket, refills continuously) |
| On exceed | 429 Too Many Requests with a JSON-RPC error (Rate limit exceeded — too many requests per key) |
The limiter is a token bucket: you can burst up to 60 calls (the default capacity), then the bucket refills at one token per second. Back off briefly and retry — there is no penalty window.
Example — what hitting the limit looks like (HTTP 429):
{ "jsonrpc": "2.0", "id": 7, "error": { "code": -32600, "message": "Rate limit exceeded — too many requests per key" }}A retry one second later has one token available and succeeds.
This limit is separate from any rate limits the upstream service imposes (GitHub, Slack, and Linear all have their own API budgets). An upstream rate-limit error reaches you as a 502/upstream error, not a 429.
Upstream timeouts
| Property | Value |
|---|---|
| Upstream response timeout | 30 seconds per call |
| On timeout | 504 with a JSON-RPC error naming the service |
Authentication limits
| Limit | Value |
|---|---|
| Sign-in codes per email | 15 per hour |
| Sign-in code validity | 10 minutes, single use |
| Dashboard session | Cookie-based; re-validated continuously |
Other platform limits
| Limit | Value |
|---|---|
| Invite link validity | 7 days |
| Policy deny message length | 500 characters |
| Audit export page size | 500 rows per request (paginate with offset) |
| Tool session idle expiry | 30 minutes of inactivity |
Related
- Errors and JSON-RPC codes — what limit violations look like on the wire
- Audit event schema — export pagination parameters