From 0cbc4e308f625874dafd2a1291f0f1f04cd08392 Mon Sep 17 00:00:00 2001
From: Edward Oliveira <edwardr@senado.gov.br>
Date: Mon, 11 May 2026 19:12:07 -0300
Subject: [PATCH] Lower API rate limit threshold from 60 to 35 req/min

Forces script/integration owners toward sane polling intervals.
35/min is still well above any legitimate use case (a live session
panel at 10 s intervals needs only 6/min). Threshold remains
env-configurable (API_RATE_LIMIT_THRESHOLD) for future adjustment.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 sapl/settings.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sapl/settings.py b/sapl/settings.py
index d21481457..27f26474c 100644
--- a/sapl/settings.py
+++ b/sapl/settings.py
@@ -445,7 +445,7 @@ API_QUOTA_WEEKLY = config('API_QUOTA_WEEKLY', default=3500, cast=int)
 # API-specific per-minute rate limit for external (non-same-origin) anonymous calls.
 # Abuse writes rl:api:ip:<ip>:blocked only — never rl:ip:<ip>:blocked.
 API_RATE_LIMIT_ENABLED = config('API_RATE_LIMIT_ENABLED', default=True, cast=bool)
-API_RATE_LIMIT_THRESHOLD = config('API_RATE_LIMIT_THRESHOLD', default=60, cast=int)
+API_RATE_LIMIT_THRESHOLD = config('API_RATE_LIMIT_THRESHOLD', default=35, cast=int)
 API_RATE_LIMIT_WINDOW_SECONDS = config('API_RATE_LIMIT_WINDOW_SECONDS', default=60, cast=int)
 API_RATE_LIMIT_BLOCK_SECONDS = config('API_RATE_LIMIT_BLOCK_SECONDS', default=300, cast=int)
 API_RATE_LIMIT_SAME_ORIGIN_BYPASS = config('API_RATE_LIMIT_SAME_ORIGIN_BYPASS', default=True, cast=bool)