Every public-facing API route now enforces rate limits via a shared rateLimit() helper. Limits are applied per IP and per API key separately, so a shared IP (e.g. a corporate NAT) doesn't accidentally cap unrelated users.
Default limits:
/api/chat— 60 requests/minute per bot (matches embed widget use)/api/v1/*— 120 requests/minute per API key- Auth and webhook routes — separate, tighter limits
When a request is rate-limited, the API returns a 429 Too Many Requests with a Retry-After header. The embed widget handles this gracefully and shows a "give me a moment" message instead of a blank error.
Commit: 7d105f5