Skip to main content
To protect the system from abusive requests, Chatwoot makes use of rack_attack gem. You could customize the configuration to suit your needs by updating, config/initializers/rack_attack.rb

Default Rate Limits

  • Chatwoot throttles requests by IP at 3000 requests per 1 minute, unless the request is from an allowed IP such as 127.0.0.1 or ::1.
  • Signup Requests are limited by IP at 5 requests per 5 minutes.
  • SignIn Requests are limited by IP at 5 requests per 20 seconds.
  • SignIn Requests are limited by email address at 20 requests per 5 minutes for a specific email.
  • Reset Password Requests are limited at 5 requests per 1 hour for a specific email.

Widget API Rate Limits

When ENABLE_RACK_ATTACK_WIDGET_API is enabled, Chatwoot also applies the following widget API limits by IP:
  • Widget conversation creation is limited to 6 requests per 12 hours.
  • Widget contact updates are limited to 60 requests per 1 hour.
  • New widget sessions without an existing conversation token are limited to 5 requests per 1 hour.

Attachment Restrictions

  • Contact/Inbox Avatar attachment file types are limited to jpeg, gif and png.
  • Contact/Inbox Avatar attachment file size is limited to 15MB.
  • Website Channel message attachments are limited to types [‘image/png’, ‘image/jpeg’, ‘image/gif’, ‘image/bmp’, ‘image/tiff’, ‘application/pdf’, ‘audio/mpeg’, ‘video/mp4’, ‘audio/ogg’, ‘text/csv’]
  • Website Channel message attachments are limited to 40MB size limit.

Disabling Rack attack on your instance

You can control the behaviour of rack attack in your instance via the following environment variables. 
## Rack Attack configuration
## To prevent and throttle abusive requests.
# Disable if you are getting too many request errors for custom use cases
# ENABLE_RACK_ATTACK=true
# Control the allowed number of requests
# RACK_ATTACK_LIMIT=300
# Control whether you want to enable rack attack for widget APIs
# ENABLE_RACK_ATTACK_WIDGET_API=true