500 simultaneous OAuth logins from the same NAT — rate limit and abuse-key questions

Hi, I'd like to ask about rate limiting around Google OAuth login on Appwrite Cloud.

OVERVIEW Service type: A PWA (web app) for members of a university club Users: about 500 Appwrite plan: Pro SDKs: Frontend: appwrite (Web SDK) — called directly from the browser Backend: node-appwrite (Server SDK / API Key) — used inside Next.js API Routes running on Cloudflare Workers Authentication: Google OAuth

AUTHENTICATION FLOW When a user logs in, the following requests hit Appwrite Cloud from the browser, in order:

(1) OAuth token initiation Endpoint: GET /v1/account/tokens/oauth2/google Caller: Browser (Web SDK not used; we build the URL ourselves and navigate via window.location) Purpose: Redirect to Google's consent screen

(2) Session creation after Google authentication Endpoint: POST /v1/account/sessions/token SDK call: account.createSession(userId, secret) Caller: Browser (Web SDK) Purpose: Create an Appwrite session from the userId / secret returned by the OAuth callback

(3) Get current user Endpoint: GET /v1/account SDK call: account.get() Purpose: Confirm successful login and verify the session on every page render

(4) Team membership check (admin / shift-manager role detection) Endpoint: GET /v1/teams/{teamId}/memberships SDK call: teams.listMemberships(teamId) Caller: Browser (Web SDK) Purpose: Toggle UI menus based on role

(5) JWT issuance (to be sent to our own server) Endpoint: POST /v1/account/jwts SDK call: account.createJWT() Purpose: Sent as a Bearer token to Next.js API Routes (e.g. /api/verify-user) running on Cloudflare Workers

(6) Server-side JWT verification Endpoint: GET /v1/account (via setJWT) SDK call: node-appwrite's setJWT(jwt) + account.get() Caller: Cloudflare Worker (server) Purpose: Ask Appwrite whether the received JWT is valid

ISSUES WE ARE FACING OR EXPECT TO FACE A. Many users logging in simultaneously from the same network (NAT) During club activities, we expect roughly 500 members to log in nearly simultaneously from the same Wi-Fi (i.e. the same global IP). Under that load:

For (2) POST /v1/account/sessions/token, our understanding is that the abuse-key is ip:{ip},userId:{param-userId}, so the quota is independent per user — this seems fine. However, we cannot tell from the documentation what the abuse-key is for (1) GET /v1/account/tokens/oauth2/google. If it is counted per IP, we are worried that simultaneous logins from the same NAT will trigger general_rate_limit_exceeded (429).

B. IP concentration on server-side JWT verification Step (6), which calls Appwrite from Cloudflare Workers via setJWT, sends every request from Cloudflare's shared outbound IPs. The docs explicitly note that "rate limits apply when setSession is used in SSR", which applies to us as well. As concurrency grows, we expect to hit the per-IP rate limit on a single Cloudflare IP very quickly.

C. Number of initialization requests per logged-in user Immediately after login, SWR (a data-fetching library) fires the following in parallel: account.get() x1 teams.listMemberships(teamId) x2 (called for two different teams) databases.listDocuments(members) x1 24-hour prefetch of databases.listDocuments(...) x roughly 10 requests So each user generates about 15 requests right after login. With 500 users logging in at once, that is roughly 7,500 requests fired from the same NAT in a very short window.

QUESTIONS Q1. Rate limit on OAuth token initiation Could you share the current Cloud values (abuse-limit / abuse-time / abuse-key) for GET /v1/account/tokens/oauth2/google? The official API reference only states "This endpoint is rate limited" without giving concrete numbers. In particular, we want to know whether the abuse-key is ip:{ip} alone, because that directly determines what happens under simultaneous logins from the same NAT.

Q2. Rate limit on POST /v1/account/sessions/token Could you share the current values for account.createSession(userId, secret)? If the abuse-key is in fact ip:{ip},userId:{param-userId}, we understand the quota is independent per user. Is that correct?

Q3. Rate limit on account.createJWT() Could you share the rate limit values (abuse-limit / abuse-time / abuse-key) for POST /v1/account/jwts? Every logged-in user calls this each session, so we want to understand the behavior under IP concentration.

Q4. Rate limit on teams.listMemberships For GET /v1/teams/{teamId}/memberships, are the abuse-key and limit the defaults (url:{url},ip:{ip} / equivalent to a general route)?

Q5. Treatment of setJWT requests coming from Cloudflare Workers When server-side code on Cloudflare Workers (with shared outbound IPs) calls session-related APIs via setJWT: How is the per-IP abuse-key counted? Is it aggregated across every request that exits via those shared IPs? Is there a recommended workaround? The documentation suggests "use the Server SDK + API Key", but step (6) in our app intentionally uses JWT verification in order to authenticate the actual end user, so switching to an API Key is not an option for that path.

Thanks in advance!