Spam Protection and Rate Limits

Boei has several built-in protections that stop a single abusive visitor (or a script) from burning through your AI message credits. Some are automatic and always on. One is configurable per chatbot, so you can tighten the limit further on public-facing widgets.

How to get there: The configurable limit lives under Setup → Chatbot in the top menu → click your chatbot → Advanced → Rate Limit.

The Three Layers of Protection

Layer What it does Configurable?
Built-in safety throttle Hard cap of 10 AI messages per minute per conversation No, always on
Per-visitor rate limit Custom cap (e.g. "30 messages per hour") per conversation Yes, per chatbot
Plan message limit Monthly AI message quota tied to your subscription Yes, via plan upgrade

All three apply independently. A visitor must pass every active layer before a message is sent to the AI and counted against your credits.

Layer 1: Built-In Safety Throttle

Every AI chatbot is protected by a hardcoded throttle that always applies:

  • 10 AI messages per minute per conversation session
  • 30 messages per minute per session when a live agent has taken over

When a visitor exceeds it, the widget returns a 429 Too Many Requests response and the message is not sent to the AI, so no credit is consumed. The visitor sees a generic "Too many requests. Please slow down." message and can retry once the window resets.

This protection is per conversation session (per load_key), not per IP, so a busy office network sharing one IP is never blocked by another user's activity.

You don't need to configure this. It's there to absorb runaway scripts, malfunctioning integrations, and accidental rapid-fire submissions on every chatbot.

Layer 2: Per-Visitor Rate Limit (Configurable)

For public chatbots where you want a tighter budget, you can add a second, custom limit on top of the safety throttle.

See Chatbot Settings → Per-Visitor Rate Limit for the full configuration guide.

Common settings:

Use case Messages Window
Free-tier protection on a public site 30 3600 (1 hour)
Generous support chatbot 100 86400 (1 day)
Tight cost control on a small plan 10 3600 (1 hour)

When this limit is reached, the visitor sees a message you can customize (e.g. "You have sent too many messages. Please wait a moment before continuing."). Their existing conversation stays open; only new messages are blocked until the window expires.

Like the safety throttle, this limit is per conversation session, not per IP.

Layer 3: Plan Message Limit

Your subscription plan defines how many AI messages your business can process per month across all chatbots. When you hit the plan cap, the chatbot stops responding and visitors see a friendly "out of credits" message until your billing cycle resets or you upgrade.

See Plans and Pricing for the message quota on each plan.

What Counts As "Abusive"?

A visitor that triggers any of the above protections is usually one of:

  • Bots and crawlers hitting the widget endpoint repeatedly
  • Malfunctioning custom integrations sending the same payload in a tight loop
  • Curious power users sending dozens of test messages
  • Genuine abuse — someone deliberately trying to drain your credits

In all four cases the same protections apply. The safety throttle alone is usually enough to make scripted abuse expensive (10 messages per minute caps out at ~14,400 per day per session, but a per-visitor limit of 30 per hour drops that to 720).

What Happens When a Limit Is Hit

Limit HTTP response Credit charged? Conversation preserved?
Safety throttle 429 with Retry-After header No Yes
Per-visitor limit 429 with custom message No Yes
Plan message limit Friendly "out of credits" message No Yes

A blocked message never consumes credits or hits the AI provider. The visitor's history, lead info, and any previously-collected data stay intact.

If your chatbot is on a high-traffic public page (homepage, pricing page, blog), a sensible default is:

  1. Keep the safety throttle on (it always is).
  2. Set a per-visitor rate limit of around 30 messages per hour (max=30, window=3600).
  3. Pick a plan whose monthly message quota matches your real traffic plus a 2x safety margin.

For internal chatbots (logged-in customer area, employee help desk), you usually don't need a per-visitor limit, since the audience is trusted and identified.