Limits & Quotas
Every Curate-Me organization operates within a set of limits that depend on its plan tier. This page is a single reference for all numerical constraints enforced by the platform.
Limits are applied at the gateway governance chain and at the control plane level. If a request would exceed a limit, the gateway returns an appropriate HTTP error (usually 429 Too Many Requests or 403 Forbidden) with a machine-readable X-CM-Limit-Exceeded header indicating which limit was hit.
Gateway Limits
These limits are enforced per-organization by the governance chain on every proxied request.
| Limit | Free | Starter | Growth | Enterprise |
|---|---|---|---|---|
| Requests per minute (RPM) | 10 | 60 | 300 | 5,000 |
| Daily budget (USD) | $10 | $25 | $100 | $2,000 |
| Monthly budget (USD) | $50 | $250 | $2,000 | $50,000 |
| Max cost per request (USD) | $0.25 | $0.50 | $2.00 | $10.00 |
| HITL cost threshold (USD) | $1.00 | $3.00 | $10.00 | $50.00 |
| Max reasoning tokens | 4,096 | 16,384 | 65,536 | Unlimited |
| Max request body size | 1 MB | 10 MB | 50 MB | 100 MB |
RPM is measured per organization using a sliding-window counter in Redis. The gateway returns standard IETF RateLimit-Limit, RateLimit-Remaining, and RateLimit-Reset headers on every response.
HITL cost threshold is the estimated cost above which a request is flagged for human-in-the-loop approval before being forwarded to the upstream provider.
Runner Limits (Private Beta)
These limits apply to managed runners (OpenClaw containers) and BYOVM agents. Managed runners are currently in private beta.
| Limit | Free | Starter | Growth | Enterprise |
|---|---|---|---|---|
| Concurrent runners | 1 | 3 | 10 | 50 |
| Max fleet size | N/A | N/A | 6 | 25 |
| BYOVM agents per org | N/A | 1 | 5 | Unlimited |
Fleet size is the maximum number of agents in a single fleet deployment. Organizations on Free and Starter plans do not have access to fleet orchestration.
BYOVM agents are self-hosted machines registered with the platform via the BYOVM protocol. They receive jobs dispatched from the control plane.
API Limits
Limits on organizational resources and connections.
| Limit | Free | Starter | Growth | Enterprise |
|---|---|---|---|---|
| API keys per org | 5 | 20 | 50 | Unlimited |
| Webhook endpoints per org | 2 | 5 | 10 | 50 |
| WebSocket connections | 5 | 20 | 100 | 500 |
| Hierarchical budget nodes | 1 (org only) | 5 | 20 | Unlimited |
Hierarchical budget nodes allow you to subdivide budgets by team, project, or environment. The Free plan enforces a single org-level budget.
Timeout Limits
These timeouts are consistent across all plan tiers.
| Limit | Value | Notes |
|---|---|---|
| Request timeout | 120s | Max time for a proxied request to complete |
| SSE stream timeout | 300s | Max duration of a streaming response |
| Governance chain evaluation | 5s | Max time for all 6 governance steps combined |
| Auth rate limit (failed attempts) | 5 per 60s per IP | Applies to invalid API keys and JWT failures |
Security Limits
These are enforced globally and are not configurable per plan.
| Limit | Value |
|---|---|
| Auth lockout (failed attempts) | 5 per 60s per IP |
| PII scan patterns | 28 built-in patterns (SSN, credit card, API keys, etc.) |
| Security scanner rules | Prompt injection, jailbreak, data exfiltration |
| Model allowlist enforcement | Per-org (all tiers) |
Notes
Requesting limit increases
If your workload requires higher limits, contact us at support@curate-me.ai or reach out via your design-partner Slack channel. Growth and Enterprise plans support custom limit overrides configured per-organization.
Enterprise limits are negotiable
All Enterprise limits shown above are defaults. Enterprise contracts can include custom RPM, budget caps, runner quotas, and dedicated infrastructure.
Budget resets
- Daily budgets reset at UTC midnight (00:00:00 UTC).
- Monthly budgets reset on the 1st of each month at UTC midnight.
- Budget usage is tracked in real-time via Redis with periodic persistence to MongoDB.
Overage behavior
When a budget limit is reached, subsequent requests are rejected with 429 Too Many Requests until the budget resets. The gateway does not allow overage spending — if you need uninterrupted service, set budgets above your expected usage or configure alerts at 80% thresholds via the dashboard.
Response headers
Every proxied response includes headers that help you track your usage:
RateLimit-Limit: 300
RateLimit-Remaining: 247
RateLimit-Reset: 1714838460
X-CM-Request-Id: req_a1b2c3d4
X-CM-Governance-Time-Ms: 3
X-CM-Trace-Id: 4bf92f3577b34da6a3ce929d0e0e4736