# Rate Limits & Security

## Connection limits

| Limit                          | Value        | Scope             |
| ------------------------------ | ------------ | ----------------- |
| Global concurrent connections  | 10,000       | Entire server     |
| Per-IP concurrent connections  | 20           | Single IP address |
| Per-IP connection rate         | 60 / minute  | Sliding window    |
| Per-key concurrent connections | Configurable | Per API key       |

If you exceed any of these limits, the server responds with HTTP `429 Too Many Requests` during the handshake:

```json
{
  "error": "max_connections_reached",
  "limit": 5,
  "current": 5
}
```

## Client message limits

The server does not expect messages from clients. However, if you do send messages:

| Limit          | Value       | Consequence                               |
| -------------- | ----------- | ----------------------------------------- |
| Message rate   | 30 / minute | Connection closed (`rate_limit_exceeded`) |
| Max frame size | 1 KB        | Connection closed (`frame_too_large`)     |

## TLS

All connections use **TLS encryption** by default (WSS on port 9201).

{% hint style="info" %}
The server may use a self-signed certificate. If so, you will need to disable certificate verification in your client. See [Code Examples](https://cryptolistingws.gitbook.io/docs/code-examples) for how to do this in each language.
{% endhint %}

## API key security

* Keys are **hashed with SHA-256** before storage -- raw keys cannot be recovered from the database.
* Invalid API keys are cached for **30 seconds** to mitigate brute-force attacks.
* Keys can be **revoked instantly** by an administrator, immediately disconnecting all active sessions.
* Keys can have **expiration dates** -- expired keys are automatically rejected.