superapp
BackendAdmin UI

Limits & Security

Configure rate limits, query constraints, JWT validation, CORS policies, and audit logging.

Chat in Claude

Rate limits & query constraints

Configure limits that protect the engine from abuse. Use presets for common scenarios or fine-tune each value individually. Every slider shows the current security posture — strict, balanced, or permissive.

Rate Limits & Query Constraints

Query Limits

Maximum rows a single query can return

rows

Maximum depth for nested relation queries

levels

Maximum nesting depth for $and/$or/$not operators

levels

Maximum total filter conditions per query

conditions

Kill queries that exceed this duration

ms

Rate Limits

Maximum requests per minute per authenticated user

req/min

Maximum requests per minute per IP address

req/min
LimitWhat it prevents
Max RowsQueries returning excessive data
Relation DepthDeeply nested joins that slow the database
Filter NestingComplex $and/$or/$not trees
Filter ConditionsQueries with too many conditions
Query TimeoutRunaway queries that block connections
Rate Limit / UserAuthenticated users hammering the API
Rate Limit / IPUnauthenticated or bot traffic floods

Security settings

Configure JWT validation rules, CORS policies, and audit logging from a unified security panel. Every change is validated and takes effect immediately in interactive mode.

JWT Validation
Allowed Algorithms
seconds
CORS
Allowed Origins
https://myapp.com
https://admin.myapp.com
Allow Credentials

Send cookies and auth headers in cross-origin requests

Audit Logging
Log SQL Queries

Record the generated SQL statement

Log Parameters

Record query bind parameters (may contain PII)

Log Duration

Record query execution time in milliseconds

Warning: Query parameters may contain PII. Consider disabling in production or reducing retention.

Retention Period

Defense layers

The engine applies security in order — each layer must pass before the next runs:

  1. Rate limiting — per-user and per-IP throttle
  2. JWT validation — algorithm allowlist, issuer, audience, expiry
  3. Permission check — table, operation, columns, row-level filters
  4. Query isolation — per-request connection, sandboxed execution
  5. Audit log — every query recorded with user, table, operation, duration

JWT configuration

SettingWhat it does
AlgorithmsAllowlist of signing algorithms. Use RS/ES for production — HMAC (HS*) uses symmetric keys.
IssuerReject tokens not issued by your auth server
AudienceReject tokens not intended for your API
Clock SkewTolerance for clock drift between servers (in seconds)

CORS configuration

SettingWhat it does
Allowed OriginsWhich domains can make cross-origin requests to the API
CredentialsWhether to allow cookies and auth headers in cross-origin requests

Audit logging

SettingWhat it does
EnabledMaster toggle for audit logging
Log QueryRecord the generated SQL statement
Log ParamsRecord query bind parameters (may contain PII)
Log DurationRecord query execution time in milliseconds
RetentionHow long to keep logs before auto-deletion

See Security for the full defense-in-depth architecture.

Edit on GitHub

Actions

Browse registered server-side actions, view typed schemas, and test them from the built-in playground.

Audit Log

Filter and inspect every query that passes through the engine — by operation, status, user, and more.

On this page

Rate limits & query constraintsSecurity settingsDefense layersJWT configurationCORS configurationAudit logging