Skip to main content

Documentation Index

Fetch the complete documentation index at: https://paper.brimble.io/llms.txt

Use this file to discover all available pages before exploring further.

The hard limits Brimble’s edge enforces on incoming traffic. These protect your service from abusive single-source traffic and don’t depend on your project’s compute capacity.

Public traffic

Public request rate limits are enforced at Cloudflare, the layer that fronts every Brimble URL. Cloudflare’s limits adapt to traffic patterns and the type of request (browser, API, bot), so there’s no single fixed “N requests per minute” we publish, what counts as abusive is judged in real time. What you can rely on:
  • A burst of normal traffic from a single user won’t get throttled.
  • A clear flood from one IP (scraping, password spraying, simple DDoS) is blocked at the edge before it reaches your container.
  • When a request is throttled, the client gets 429 Too Many Requests from Cloudflare. Bodies and other limits are independent.
For request-shape limits Brimble enforces directly:
LimitValue
Body size5 MB per request
Header size8 KB
URL length8 KB
Over-size bodies get 413 Payload Too Large.

Internal traffic

Service-to-service calls inside Brimble’s network (your projects calling each other over *.service.brimble.internal, the dashboard talking to the API) don’t go through Cloudflare and aren’t subject to public rate limits. Your internal traffic doesn’t count against any limit.

Build minutes

A separate limit governs builders:
PlanBuild minutes / monthConcurrent builds
Free1000 (queued)
Hacker5001
Pro2,0002
Team5,000 + 1,000 / extra buildVariable
Once monthly build minutes are exhausted on a paid plan, overage bills at $0.002/minute and rolls into the next invoice. On the free plan, builds queue indefinitely until the cycle resets.

Webhook delivery

Brimble retries failed webhook deliveries with exponential backoff:
RetryWait
11 minute
25 minutes
330 minutes
42 hours
512 hours
After 5 failed retries, the delivery is dropped. The webhook is not disabled; future events still try to deliver. Each delivery has a 10-second timeout. Your endpoint must return a response within 10 seconds.

Sensitive operations

A few operations require step-up 2FA before running:
  • Delete a project.
  • Delete a custom domain.
  • Rotate a database password.
  • Transfer a domain out of Brimble.
  • Transfer team ownership.
The 2FA prompt allows 5 wrong attempts per challenge, then locks for a cooling-off period.

Higher limits

For workloads that need more headroom than the default public-traffic posture (high-traffic public APIs, large file ingest, and similar), contact support. Custom Cloudflare rules and custom body size limits are available on Pro and Team plans, those go through support or a plan upgrade.
Last modified on May 10, 2026