Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.trodo.ai/docs/llms.txt

Use this file to discover all available pages before exploring further.

Two layers protect the service: per-token-per-minute counters, and per-tool concurrency caps for heavy tools.

Per-token, per-minute

Auth kindDefaultMaximumConfigurable per key
OAuth access token60 / min60 / minNo (fixed)
Direct API key600 / min6,000 / minYes — set when creating the key in Integrations → MCP for Claude & Cursor
Counters reset every wall-clock minute. When you hit the cap you get: 
{
  "isError": true,
  "content": [{ "type": "text", "text": "Rate limit exceeded for this token. Try again in 12 seconds. ..." }],
  "structuredContent": { "retry_after_s": 12 }
}
The retry_after_s tells you exactly when the next minute starts.

Per-tool concurrency caps

Some tools are heavier than others — semantic-search, cluster reads, and PII fuzzy matches can each run for several seconds. We cap per-token concurrent invocations of these specific tools at 3:
  • find_users
  • list_use_case_clusters
  • list_issue_clusters
  • get_cluster_summary
  • get_failed_user_attempts
If you have 4+ concurrent calls to the same heavy tool from the same token, the 4th waits in line until one of the in-flight calls finishes. No error — just queueing. This prevents one chatty agent from starving the pool for everyone else.

PII daily quota

To prevent enumeration attacks, find_users and other mcp:user:read_pii tools share a per-team daily quota of 100 calls, regardless of how many tokens you have. This is independent of the per-minute rate limit.

Need higher limits?

  • Bump the API key’s rate_limit_per_min in Integrations → MCP for Claude & Cursor up to 6,000.
  • Open multiple keys for separate workloads — each gets its own counter.
  • Enterprise plan has soft-limit headroom; contact [email protected] for custom caps.

What gets counted

Every successful + every rate-limited request counts. Cancelled requests (client closes the connection) still count if they reach the server. Failed authentication doesn’t count toward the per-token rate limit (because there is no token).