Skip to content

Rate Limiting and Account Locking

Odeion ships two layers of login protection: automatic rate limiting of failed attempts, and manual per-account locking.

Failed login attempts are counted in a fixed window, tracked independently per client IP and per username:

ParameterValue
Failure budget10 failures per key
Window15 minutes
Keysclient IP and username, independently

Once a key exceeds its budget, further attempts are refused until the window expires, and the response says how long to wait. A successful login clears the username’s counter (so users are not punished for their own typos) but not the IP’s counter, so a host that guessed one account does not get a clean slate against others.

Notes:

  • Only failures count; successful logins do not consume budget.
  • Invite code redemption is throttled per IP the same way.
  • Counters are in-memory and reset when the server restarts.
  • The limits are fixed and not currently configurable.

Admins can lock any account from Admin > Users. A locked account:

  • Cannot sign in with a password, OAuth, or a device link code.
  • Cannot use its existing sessions; requests fail until unlocked.
  • Cannot use its API keys.

Locking does not delete anything. Existing sessions resume working when the account is unlocked.

MethodWhereNotes
Admin unlockAdmin > UsersThe normal path.
CLI resetodeion reset-password <username> on the server hostClears the lock and issues a reset link in one step. The escape hatch when the locked account is the only admin.

A reset link generated from the admin UI does not clear the lock; see Password Reset.

Two kill switches act as emergency brakes: Login refuses all new logins (existing sessions keep working), and OAuth disables provider logins specifically. Both take effect immediately.