vercel-rate-limits

Handle Vercel API rate limits, implement retry logic, and configure WAF rate limiting. Use when hitting 429 errors, implementing retry logic, or setting up rate limiting for your Vercel-deployed API endpoints. Trigger with phrases like "vercel rate limit", "vercel throttling", "vercel 429", "vercel retry", "vercel backoff", "vercel WAF rate limit".

v1.0.0
Jeremy Longshore
MIT
claude-codecodexopenclaw
3 Tools
vercel-pack Plugin
saas packs Category

Allowed Tools

ReadWriteEdit

Provided by Plugin

vercel-pack

Claude Code skill pack for Vercel (30 skills)

saas packs v1.0.0
View Plugin

Installation

This skill is included in the vercel-pack plugin:

/plugin install vercel-pack@claude-code-plugins-plus

Click to copy

Instructions

Vercel Rate Limits

Overview

Handle Vercel REST API rate limits with proper retry logic, and configure Vercel's WAF rate limiting SDK to protect your deployed API endpoints from abuse. Covers both consuming the Vercel API (outbound) and protecting your own functions (inbound).

Prerequisites

  • Vercel CLI installed and authenticated
  • Understanding of HTTP 429 status codes
  • For WAF rate limiting: Vercel Pro or Enterprise plan

Instructions

Step 1: Vercel REST API Rate Limits

The Vercel REST API enforces rate limits per endpoint. When exceeded, the API returns HTTP 429 with rate limit headers:


HTTP/1.1 429 Too Many Requests
X-RateLimit-Limit: 100
X-RateLimit-Remaining: 0
X-RateLimit-Reset: 1711152000
Retry-After: 60

Known API limits:

Endpoint Category Rate Limit
Deployments (create) 100/hour per project
Deployments (list/get) 500/min
Projects (CRUD) 200/min
Environment variables 200/min
Domains 200/min
Teams 200/min
DNS records 200/min
General API 120 requests/min (default)

Step 2: Implement Retry with Backoff for Vercel API


// lib/rate-limit-handler.ts
interface RateLimitInfo {
  limit: number;
  remaining: number;
  reset: number; // Unix timestamp
}

function parseRateLimitHeaders(headers: Headers): RateLimitInfo {
  return {
    limit: Number(headers.get('X-RateLimit-Limit') ?? 100),
    remaining: Number(headers.get('X-RateLimit-Remaining') ?? 100),
    reset: Number(headers.get('X-RateLimit-Reset') ?? 0),
  };
}

async function vercelFetchWithRetry(
  url: string,
  options: RequestInit,
  maxRetries = 3
): Promise<Response> {
  for (let attempt = 0; attempt <= maxRetries; attempt++) {
    const res = await fetch(url, options);

    if (res.status !== 429) return res;

    if (attempt === maxRetries) {
      throw new Error(`Rate limited after ${maxRetries} retries: ${url}`);
    }

    // Use Retry-After header if present, otherwise exponential backoff
    const retryAfter = res.headers.get('Retry-After');
    const waitMs = retryAfter
      ? Number(retryAfter) * 1000
      : Math.min(1000 * Math.pow(2, attempt) + Math.random() * 1000, 30000);

    console.warn(`Rate limited (attempt ${attempt + 1}/${maxRetries}). Waiting ${Math.round(waitMs)}ms...`);
    await new Promise(r => setTimeout(r, waitMs));
  }
  throw new Error('Unreachable');
}

Step 3: Proactive Rate Limit Avoidance


// lib/rate-limiter.ts
// Track remaining quota and slow down before hitting the wall
class VercelRateLimiter {
  private remaining = 100;
  private resetAt = 0;

  async throttle(): Promise<void> {
    // If near the limit, wait until reset
    if (this.remaining < 5) {
      const waitMs = Math.max(0, this.resetAt * 1000 - Date.now()) + 1000;
      console.warn(`Near rate limit (${this.remaining} remaining). Waiting ${waitMs}ms...`);
      await new Promise(r => setTimeout(r, waitMs));
    }
  }

  update(headers: Headers): void {
    this.remaining = Number(headers.get('X-RateLimit-Remaining') ?? this.remaining);
    this.resetAt = Number(headers.get('X-RateLimit-Reset') ?? this.resetAt);
  }
}

Step 4: Protect Your Own Endpoints — Vercel WAF Rate Limiting

Vercel's WAF provides built-in rate limiting for your deployed functions:


// middleware.ts — WAF rate limiting via Vercel Firewall SDK
import { ipAddress } from '@vercel/functions';
import { checkRateLimit } from '@vercel/firewall';

export async function middleware(request: Request) {
  const ip = ipAddress(request) ?? '127.0.0.1';

  // Rate limit: 100 requests per 60 seconds per IP
  const { rateLimited } = await checkRateLimit('api-limit', {
    key: ip,
    limit: 100,
    window: '60s',
  });

  if (rateLimited) {
    return new Response(
      JSON.stringify({ error: 'Too many requests. Please try again later.' }),
      { status: 429, headers: { 'Content-Type': 'application/json', 'Retry-After': '60' } }
    );
  }
}

export const config = {
  matcher: '/api/:path*',
};

Install: npm install @vercel/firewall @vercel/functions

Step 5: Custom Rate Limiting with Edge Config


// api/rate-limited-endpoint.ts
import { get } from '@vercel/edge-config';

export const config = { runtime: 'edge' };

// Simple in-memory sliding window (per-isolate, not global)
const windowMs = 60_000;
const maxRequests = 50;
const requests = new Map<string, number[]>();

function isRateLimited(key: string): boolean {
  const now = Date.now();
  const timestamps = (requests.get(key) ?? []).filter(t => now - t < windowMs);
  timestamps.push(now);
  requests.set(key, timestamps);
  return timestamps.length > maxRequests;
}

export default async function handler(request: Request): Promise<Response> {
  const ip = request.headers.get('x-forwarded-for') ?? 'unknown';

  if (isRateLimited(ip)) {
    return Response.json({ error: 'Rate limit exceeded' }, { status: 429 });
  }

  return Response.json({ data: 'ok' });
}

Platform Concurrency Limits

Plan Concurrent Executions Builds/Hour
Hobby 10 32
Pro 1,000 6,000/day
Enterprise 100,000 Custom

Output

  • Vercel API calls wrapped with automatic retry and backoff
  • Rate limit headers parsed and monitored proactively
  • WAF rate limiting protecting deployed API endpoints
  • Custom per-IP rate limiting for fine-grained control

Error Handling

Error Cause Solution
429 Too Many Requests API rate limit exceeded Use vercelFetchWithRetry() wrapper
FUNCTION_THROTTLED Concurrent execution limit hit Reduce parallelism or upgrade plan
Rate limit not applied Middleware not matching routes Check config.matcher pattern
In-memory rate limit resets Edge function isolate recycled Use Redis or Vercel KV for persistent state

Resources

Next Steps

For security best practices, see vercel-security-basics.

Ready to use vercel-pack?

Related Skills

"cursor-advanced-composer"

Advanced Cursor Composer techniques: agent mode, parallel agents, complex refactoring, and multi-step orchestration.

ReadWriteEdit

"cursor-ai-chat"

Master Cursor AI Chat with @-mentions, inline edit, and conversation patterns.

ReadWriteEdit

"cursor-api-key-management"

Configure BYOK API keys for OpenAI, Anthropic, Google, Azure, and custom models in Cursor.

ReadWriteEdit

"cursor-codebase-indexing"

Set up and optimize Cursor codebase indexing for semantic code search and @Codebase queries.

ReadWriteEdit

"cursor-common-errors"

Troubleshoot common Cursor IDE errors: authentication, completion, indexing, API, and performance issues.

ReadWriteEdit

"cursor-compliance-audit"

Compliance and security auditing for Cursor IDE usage: SOC 2, GDPR, HIPAA assessment, evidence collection, and remediation.

ReadWriteEdit