We don't publish
your competitive advantage.

IFCalling brave_local_search tool with parallel requests for POI data and descriptions causes rate limit exceeded errors for free and pro tier Brave Search API keys.

THENImplement request throttling using the rate limit headers from Brave Search API responses (e.g., X-RateLimit-*) to enforce a maximum of one request per second for free keys, or queue requests sequentially with a delay. For pro keys, still apply a conservative throttle to avoid bursts. Alternatively, use a library like p-limit to limit concurrency.

IFNeed to control request frequency to MCP servers to prevent abuse or overload.

THENEnable the MCP Rate Limit middleware in MetaMCP. Configure rate limits at the namespace or endpoint level. MetaMCP provides built-in traffic management capabilities.

IFBrave Search API returns 'Rate limit exceeded' when using brave_local_search tool due to parallel unthrottled requests (Promise.all) that exceed the per-second quota.

THENImplement request throttling by controlling concurrency. Use a rate limiter (e.g., p-limit) to ensure no more than one request per second for free tier, or parse the X-RateLimit-* headers from API responses to dynamically adjust the request rate. Replace the Promise.all call with sequential or concurrency-limited calls to avoid exceeding the rate limit.

IFPublic free-scan endpoints are easily tarpitted; attackers can enumerate patterns or burn budget by hammering them, but legitimate first-time onboard must not be blocked.

THENImplement IP + URL pair rate-limit middleware on public endpoints (e.g., /sync/onboard) with same-resource exemption. Allow re-onboarding the same URL freely; only count new URLs per IP per time window.

IFBrave Local Search tool makes parallel API requests without throttling, exceeding API key rate limits.

THENImplement request throttling, such as a queue with a configurable delay between calls. Monitor the rate limit headers in API responses to dynamically adjust the delay and avoid exceeding limits.

IFAgent may overwhelm external APIs or internal resources due to burst of requests.

THENImplement a GCRA (Generic Cell Rate Algorithm) rate limiter with cost-aware token buckets. Respect per-endpoint limits and prioritize essential actions.

IFPublic scan endpoints are susceptible to tarpitting; need throttling without blocking legitimate retries.

THENImplement IP+URL pair rate limit middleware on endpoints like /sync/onboard. Allow re-onboarding the same URL without counting against the limit.

IFTPM quota only counts output tokens, not input tokens, allowing users to bypass rate limits with large prompts.

THENSet `general_settings.token_rate_limit_type: 'total'` in your LiteLLM configuration to include both input and output tokens in TPM quota calculations. Alternatively, upgrade to a version that includes PR #17707, which fixes this permanently.

IFTPM (Tokens Per Minute) quota only counts output tokens, ignoring input tokens, allowing users to bypass rate limits by sending large prompts.

THENUpdate the TPM quota calculation to include both input and output tokens (total_tokens = input_tokens + output_tokens). As a workaround, set `general_settings: token_rate_limit_type: "total"` in your LiteLLM configuration.

IFTPM quota only counts output tokens, ignoring input tokens, allowing users to bypass rate limits with large prompts.

THENSet `general_settings.token_rate_limit_type: "total"` in your LiteLLM configuration to count both input and output tokens. Alternatively, upgrade to the version containing the fix from PR #17707.

IFParallel requests to Brave Search API via Promise.all cause rate limit exceeded for free tier (1 req/s) and sometimes for paid tiers.

THENImplement rate limiting by using response headers (e.g., X-RateLimit-*) to throttle requests. Avoid firing all requests concurrently; instead, queue them with delays or use a rate limiter library such as p-limit or bottleneck to respect the API's rate limits. For example, set a concurrency of 1 and add a 1-second delay between requests if the free tier is detected.

IFLoad balancer or API gateway needs to apply rate limits per user/tenant but cannot parse MCP JSON body efficiently.

THENUse the `x-mcp-header` mechanism to expose a tenant ID (e.g., `Mcp-Param-TenantId`) as a custom header. Configure the intermediary to rate-limit based on this header without deep packet inspection.