Limits

This page documents the current public limits for the PhishFort Client API.

Request throttling

The Client API does not currently publish a per-API-key sustained RPS, burst RPS, or daily quota. POST /v1/incident/tkd and POST /v1/incident/{id}/attach share the same API infrastructure and do not have separate request budgets.

Recommended retry behavior

Response	Action
`200`–`299`	Success.
`400`, `401`, `403`, `404`, `413`, `422`	Terminal — do not retry, fix the request.
`429`	Retry with bounded exponential backoff and jitter. A `Retry-After` header is not currently guaranteed.
`5xx`	Retry with bounded exponential backoff and jitter.

Attachments

Attachment uploads use multipart form data. Uploads do not use a signed URL flow; signed URLs are only returned when reading or downloading existing attachments.

A single request can include up to 12 files by repeating the attachments multipart field, and the total request size — including all files and form fields — must stay under 10 MB. Because multipart encoding adds overhead, keep the combined raw file size comfortably below 10 MB.

Requests that exceed the 10 MB request size limit receive a 413 response:

{
    "statusCode": 413,
    "error": "Request Entity Too Large",
    "message": "Payload content length greater than maximum allowed: 10485760"
}