[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$ff5zZUSmDbM9gNjiLfTg28pNnm5Mm-neAKIQPmfsJVAM":3,"$fG91H0FDD3CAFuK-YOL8kl5neaXL1I49nQHChF_QgrjE":14},{"slug":4,"locale":5,"title":6,"section":7,"orderIndex":8,"blocks":9,"seoTitle":7,"seoDescription":7,"updatedAt":13},"91-rate-limiting","de","91 — Rate-Limiting",null,91,[10],{"type":11,"value":12},"markdown","# 91 — Rate-Limiting\n\nPartnerDesk schützt sich und seine Tenants gegen Brute-Force-Angriffe und Spam durch zentrale Rate-Limits.\n\n## Was wird limitiert?\n\n| Endpoint | Limit | Identifier |\n|----------|-------|------------|\n| **Login** (alle drei: Superadmin, Admin, Partner) | 5\u002FMin | IP + Email |\n| **Webhook** (alle Provider) | 120\u002FMin | IP + Tenant + Provider |\n| **Public-API** | 600\u002FMin | API-Key-UUID |\n| **Signup** | 10\u002FStunde | IP |\n| **Tracking-Pixel** (Klick-Erfassung) | 1000\u002FMin | IP |\n| **Forgot-Password** | 5\u002FStunde | Email + IP |\n\n## Was passiert bei Überschreitung?\n\n- HTTP-Status **`429 Too Many Requests`**.\n- `Retry-After`-Header zeigt, wie viele Sekunden bis zum nächsten Versuch.\n- Im Webhook-Fall: der Provider versucht üblicherweise automatisch erneut nach Backoff.\n\n## Warum diese Limits?\n\n### Login (5\u002FMin)\n\nBrute-Force-Schutz. Auch wenn ein Angreifer das Passwort errät, kann er es nur 5× pro Minute versuchen — bei einem 8-stelligen Passwort dauert das Jahrhunderte.\n\n### Webhook (120\u002FMin)\n\nSchutz vor Provider-Storms. Bei einem Migrations-Lauf oder Test-Burst können Sales-Webhooks im Minutentakt eintreffen. 120\u002FMin reicht für legitime Spitzen, blockiert aber Endlos-Schleifen.\n\n### Public-API (600\u002FMin)\n\nPro API-Key. Verhindert, dass ein Tenant durch fehlerhaften Code (z. B. Endlos-Loop) die Plattform überlastet.\n\n### Signup (10\u002FStunde)\n\nSchutz vor Massen-Spam-Signups, die das System mit Fake-Tenants fluten würden.\n\n### Tracking (1000\u002FMin)\n\nGroßzügig. Schutz vor Bot-Spam auf Tracking-Pixeln. Echte User generieren niemals 1000 Klicks pro Minute.\n\n### Forgot-Password (5\u002FStunde)\n\nVerhindert Email-Spam. Wenn ein Angreifer die Email eines Users kennt, kann er nicht beliebig oft Reset-Mails an die Person schicken.\n\n## Storage\n\nAlle Limits werden in **Redis** gespeichert. Damit:\n- Multi-Instance-fähig (mehrere App-Container teilen sich denselben Counter).\n- Sehr schnell (Redis-In-Memory).\n\n## Token-Bucket vs. Sliding-Window\n\n- **Login**: Token-Bucket — 5 Tokens, alle 12 s wird einer aufgefüllt.\n- **Webhook, API, Tracking**: Sliding-Window — wie viele Requests in den letzten 60 s.\n\nBeide Strategien sind robust gegen Burst-Attacken.\n\n## Was Sie als Tenant erleben\n\nIm Normalbetrieb merken Sie nichts. Die Limits sind so gewählt, dass legitime Nutzung nie betroffen ist.\n\nWenn doch:\n- **Eigener Workflow-Bot** überschreitet API-Limit → Code anpassen (Throttle, Pagination).\n- **Provider sendet zu viele Webhooks** → mit dem Provider klären, wenn unerwartet.\n\n## Was Sie als Partner erleben\n\nBei falsch eingegebenem Passwort: nach 5 Fehlversuchen wartet der Login eine Minute.\n\n## Bei DDoS\n\nEchte DDoS-Angriffe (massiv hohe Request-Zahlen aus vielen Quellen) behandelt nicht das Rate-Limiting allein, sondern:\n- **Cloudflare** (oder ähnlicher CDN-\u002FDDoS-Schutz vor PartnerDesk).\n- **Hetzner DDoS-Protection** (Server-Provider-Level).\n- **Caddy\u002FNginx-Rate-Limit** (Reverse-Proxy-Level).\n\nMehrstufiger Schutz, das eigentliche App-Rate-Limit ist die letzte Verteidigungslinie.\n\n## Verwandte Kapitel\n\n- **[03 — Rollen & Berechtigungen](03-rollen.md)**\n- **[90 — 2FA](90-2fa.md)**\n- **[112 — Webhook-Event-Log](112-webhook-event-log.md)**\n\n---\n\n**Technische Tiefen-Doku**: [`..\u002F028-rate-limit-2fa-sentry.md`](..\u002F028-rate-limit-2fa-sentry.md), [`..\u002F125-rate-limit-public.md`](..\u002F125-rate-limit-public.md)\n","2026-06-01T21:39:08+02:00",{"data":15},[16,20,24,28,32,36,40,44,48,52,56,60,64,68,72,76,80,84,88,92,96,100,104,108,112,116,120,124,128,132,136,140,144,148,152,156,160,164,168,172,176,180,184,188,192,196,200,204,208,209,213,217,221,225,229,233,237,241,245,249,253,257,261,265,269],{"slug":17,"locale":5,"title":18,"section":7,"orderIndex":19},"01-ueberblick","01 — Kurzüberblick & Architektur",1,{"slug":21,"locale":5,"title":22,"section":7,"orderIndex":23},"02-schnellstart","02 — Schnellstart für neue Tenants",2,{"slug":25,"locale":5,"title":26,"section":7,"orderIndex":27},"03-rollen","03 — Rollen & Berechtigungen",3,{"slug":29,"locale":5,"title":30,"section":7,"orderIndex":31},"10-kampagnen","10 — Kampagnen verwalten",10,{"slug":33,"locale":5,"title":34,"section":7,"orderIndex":35},"11-provisionen","11 — Provisionsmodelle (Tiers & Gruppen)",11,{"slug":37,"locale":5,"title":38,"section":7,"orderIndex":39},"12-mlm","12 — MLM-Struktur & Downline",12,{"slug":41,"locale":5,"title":42,"section":7,"orderIndex":43},"13-bonus","13 — Bonusprogramme",13,{"slug":45,"locale":5,"title":46,"section":7,"orderIndex":47},"14-holdback-reserve","14 — Reifezeit & Reserve (Schutz vor Rückbuchungen)",14,{"slug":49,"locale":5,"title":50,"section":7,"orderIndex":51},"15-programm-bewertungen","15 — Programm-Bewertungen im Marktplatz",15,{"slug":53,"locale":5,"title":54,"section":7,"orderIndex":55},"16-externe-bewertungen","16 — Externe Bewertungen verbinden (Anbieter)",16,{"slug":57,"locale":5,"title":58,"section":7,"orderIndex":59},"17-joint-venture-partner","17 — Joint-Venture-Partner",17,{"slug":61,"locale":5,"title":62,"section":7,"orderIndex":63},"18-vertriebsmitarbeiter","18 — Vertriebsmitarbeiter (VM)",18,{"slug":65,"locale":5,"title":66,"section":7,"orderIndex":67},"19-profitabilitaet","19 — Profitabilität einer Kampagne",19,{"slug":69,"locale":5,"title":70,"section":7,"orderIndex":71},"20-partner-anlegen","20 — Partner anlegen",20,{"slug":73,"locale":5,"title":74,"section":7,"orderIndex":75},"21-partner-status","21 — Partner-Status & Lifecycle",21,{"slug":77,"locale":5,"title":78,"section":7,"orderIndex":79},"22-partner-profile","22 — Partner-Profile & Stammdaten",22,{"slug":81,"locale":5,"title":82,"section":7,"orderIndex":83},"23-customers","23 — Customers (Endkunden)",23,{"slug":85,"locale":5,"title":86,"section":7,"orderIndex":87},"24-partner-merge","24 — Doppelte Partner zusammenführen",24,{"slug":89,"locale":5,"title":90,"section":7,"orderIndex":91},"30-webhooks","30 — Webhook-Übersicht",30,{"slug":93,"locale":5,"title":94,"section":7,"orderIndex":95},"31-stripe","31 — Stripe-Integration",31,{"slug":97,"locale":5,"title":98,"section":7,"orderIndex":99},"32-digistore24","32 — Digistore24-Integration",32,{"slug":101,"locale":5,"title":102,"section":7,"orderIndex":103},"33-copecart","33 — CopeCart-Integration",33,{"slug":105,"locale":5,"title":106,"section":7,"orderIndex":107},"34-ablefy","34 — Ablefy-Integration (vormals elopage)",34,{"slug":109,"locale":5,"title":110,"section":7,"orderIndex":111},"35-easybill","35 — easybill-Integration",35,{"slug":113,"locale":5,"title":114,"section":7,"orderIndex":115},"36-lexoffice","36 — lexoffice-Integration",36,{"slug":117,"locale":5,"title":118,"section":7,"orderIndex":119},"37-custom-webhook","37 — Custom Webhook (Zapier, Make, n8n, eigene Systeme)",37,{"slug":121,"locale":5,"title":122,"section":7,"orderIndex":123},"40-auszahlungen","40 — Auszahlungs-Workflow",40,{"slug":125,"locale":5,"title":126,"section":7,"orderIndex":127},"41-gutschriften","41 — Gutschriften (§14 UStG)",41,{"slug":129,"locale":5,"title":130,"section":7,"orderIndex":131},"42-sepa","42 — SEPA-XML-Export",42,{"slug":133,"locale":5,"title":134,"section":7,"orderIndex":135},"43-stripe-connect","43 — Stripe Connect (Express-Auszahlungen)",43,{"slug":137,"locale":5,"title":138,"section":7,"orderIndex":139},"44-buchhaltung-sync","44 — Externe Buchhaltung-Sync (easybill \u002F lexoffice)",44,{"slug":141,"locale":5,"title":142,"section":7,"orderIndex":143},"50-tracking","50 — Tracking-Cookie & Klick-Erfassung",50,{"slug":145,"locale":5,"title":146,"section":7,"orderIndex":147},"51-attribution","51 — Attribution-Modelle",51,{"slug":149,"locale":5,"title":150,"section":7,"orderIndex":151},"52-utm-subid","52 — UTM, Sub-IDs & Fingerprint",52,{"slug":153,"locale":5,"title":154,"section":7,"orderIndex":155},"53-werbemittel","53 — Werbemittel: Banner & Coupons",53,{"slug":157,"locale":5,"title":158,"section":7,"orderIndex":159},"54-links-landingpages","54 — Short-Links & Landing-Pages",54,{"slug":161,"locale":5,"title":162,"section":7,"orderIndex":163},"60-marketing-site","60 — Marketing-Site (Apex-Domain)",60,{"slug":165,"locale":5,"title":166,"section":7,"orderIndex":167},"61-popup-widget","61 — Popup-Widget für Tenant-Sites",61,{"slug":169,"locale":5,"title":170,"section":7,"orderIndex":171},"62-cross-promotion","62 — PartnerDesk Cross-Promotion (PartnerDesk empfehlen)",62,{"slug":173,"locale":5,"title":174,"section":7,"orderIndex":175},"63-lead-aff","63 — Lead-Affiliate-Programm (Partner werben Partner)",63,{"slug":177,"locale":5,"title":178,"section":7,"orderIndex":179},"70-notifications","70 — Notification-System",70,{"slug":181,"locale":5,"title":182,"section":7,"orderIndex":183},"71-email-whitelabel","71 — Email-Whitelabel",71,{"slug":185,"locale":5,"title":186,"section":7,"orderIndex":187},"72-email-templates","72 — Email-Templates",72,{"slug":189,"locale":5,"title":190,"section":7,"orderIndex":191},"73-lifecycle-mails","73 — Lifecycle-Mails",73,{"slug":193,"locale":5,"title":194,"section":7,"orderIndex":195},"80-akademie","80 — Akademie: Kurse & Lektionen",80,{"slug":197,"locale":5,"title":198,"section":7,"orderIndex":199},"81-quiz","81 — Quiz-System",81,{"slug":201,"locale":5,"title":202,"section":7,"orderIndex":203},"82-zertifikate","82 — Zertifikate nach Kurs-Komplettierung",82,{"slug":205,"locale":5,"title":206,"section":7,"orderIndex":207},"90-2fa","90 — Two-Factor-Authentication (2FA)",90,{"slug":4,"locale":5,"title":6,"section":7,"orderIndex":8},{"slug":210,"locale":5,"title":211,"section":7,"orderIndex":212},"92-audit-log","92 — Audit-Log",92,{"slug":214,"locale":5,"title":215,"section":7,"orderIndex":216},"93-dsgvo","93 — DSGVO-Tools",93,{"slug":218,"locale":5,"title":219,"section":7,"orderIndex":220},"94-legal","94 — Legal-Pages",94,{"slug":222,"locale":5,"title":223,"section":7,"orderIndex":224},"95-cookie-consent","95 — Cookie-Consent",95,{"slug":226,"locale":5,"title":227,"section":7,"orderIndex":228},"100-billing-plaene","100 — Stripe-Billing-Pläne",100,{"slug":230,"locale":5,"title":231,"section":7,"orderIndex":232},"101-trial","101 — Trial & Subscription-Status",101,{"slug":234,"locale":5,"title":235,"section":7,"orderIndex":236},"102-customer-portal","102 — Stripe Customer-Portal",102,{"slug":238,"locale":5,"title":239,"section":7,"orderIndex":240},"110-superadmin","110 — Plattform-Admin (Superadmin)",110,{"slug":242,"locale":5,"title":243,"section":7,"orderIndex":244},"111-health","111 — Health-Endpoints",111,{"slug":246,"locale":5,"title":247,"section":7,"orderIndex":248},"112-webhook-event-log","112 — Webhook-Event-Log",112,{"slug":250,"locale":5,"title":251,"section":7,"orderIndex":252},"113-failed-messages","113 — Failed-Messages",113,{"slug":254,"locale":5,"title":255,"section":7,"orderIndex":256},"120-pwa-partner","120 — PWA Partner-Portal",120,{"slug":258,"locale":5,"title":259,"section":7,"orderIndex":260},"121-cross-tenant-hub","121 — Cross-Tenant-Hub",121,{"slug":262,"locale":5,"title":263,"section":7,"orderIndex":264},"130-public-api","130 — Public-API (für Tenant-Integratoren)",130,{"slug":266,"locale":5,"title":267,"section":7,"orderIndex":268},"131-outgoing-webhooks","131 — Outgoing-Webhooks",131,{"slug":270,"locale":5,"title":271,"section":7,"orderIndex":272},"132-exports","132 — Datenexporte (CSV, PDF-Report)",132]