API Services

API Services run as docker containers in Pivot's AWS VPC as Elastic Container Service (ECS) services and serve HTTP, Connect, or Websocket APIs.

Exception: Auth provides a server-side rendered frontend in addition to an HTTP JSON API, so in that sense it is not just an API service.

Rate Limiting

We use Cloudlfare's WAF to rate limit requests to all API services, in the following ways:

Auth: IP based limit applied for all requests.
Pilot: IP based limit applied for all HTTP requests. Traffic in the form of websocket frames for already accepted websocket connections is not limited at the firewall level, but is limited in-memory via the Pilot application code.
Friend: IP based limit applied for all requests.
Rest: IP based limit applied for all requests and limits also applied based on the value of the Authorization header. WAF requires this header to have a value and limits requests on the basis of that value, which limits the same Pivot API key from sending too many requests from a variety of IPs.
Tunnel: IP based limit applied for all requests with substantial headroom as well as source whitelisting to account for the bursty nature of Stripe, LiveKit, and Mux workloads.