fix(auth): disable API key rate limiting — breaks MCP after ~7 calls

[saddlepaddle]

Summary

• Better-auth's API key plugin defaults to 10 requests per 24 hours with rate limiting enabled
• MCP clients use ~3 requests on init (capabilities, tool listing, etc.), leaving only ~7 tool calls before the key gets blocked
• Disables rate limiting on API keys entirely — our API already has its own rate limiting at the infrastructure level

Context

Customer reported API keys dying after a handful of MCP tool calls. Root cause is better-auth's aggressive default rate limit config that we weren't overriding.

Test plan

• Create a new API key and verify MCP works beyond 10 requests
• Verify existing API keys are unaffected (rate limit fields in DB are per-key, but new config prevents new keys from getting the restrictive defaults)

---

Summary by cubic

Disabled better-auth API key rate limiting to stop MCP keys from being blocked after ~7 calls. Our infra already enforces rate limits, so keys now work beyond the previous 10-requests/24h default.

• Bug Fixes
  • Set rateLimit.enabled = false in the API key plugin.
  • New keys no longer inherit restrictive defaults; existing keys remain unchanged.

^{Written for commit f248042. Summary will update on new commits.}

Summary by CodeRabbit

• Bug Fixes
  • API key authentication requests are no longer subject to rate limiting, allowing for more reliable access to authentication endpoints without hitting rate limit thresholds.

[coderabbitai]

📝 Walkthrough

Walkthrough

The apiKey plugin configuration in the authentication server was updated to explicitly disable rate limiting by adding rateLimit: { enabled: false }. This is a configuration-only change with no alterations to logic or exported interfaces.

Changes

Cohort / File(s)	Summary
API Key Rate Limiting Configuration packages/auth/src/server.ts	Added explicit rateLimit: { enabled: false } setting to the apiKey plugin configuration within the betterAuth initialization.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 A config tweak, oh so small,

Rate limits gone, no gates at all,

The apiKey flows so free,

Hopping fast, as fast can be! 🏃‍♂️

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: disabling API key rate limiting and identifies the critical issue it fixes (MCP breaking after ~7 calls).
Description check	✅ Passed	The description provides comprehensive context including the root cause, the problem it solves, and a clear test plan; however, it does not follow the required template structure with explicit sections.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch saddlepaddle/fix-api-key-rate-limit

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cubic-dev-ai]

No issues found across 1 file

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@packages/auth/src/server.ts`:
- Around line 175-177: The apiKey plugin's rateLimit is being unconditionally
disabled (rateLimit.enabled = false) in the auth server; restore
application-layer protection by either re-enabling rate limiting with sensible
defaults (e.g., timeWindow and maxRequests matching the DB defaults used in
packages/db/src/schema/auth.ts) or gate the disable behind an explicit
environment variable (e.g., check process.env.ENABLE_API_KEY_RATE_LIMIT and set
rateLimit.enabled accordingly). Update the rateLimit block in the apiKey plugin
configuration in packages/auth/src/server.ts to read the env flag (or set
enabled: true and configure timeWindow/maxRequests) so per-key limits are
enforced or opt-in disabled explicitly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 3295bb8d-887c-4487-9ea6-654cdb652954

📥 Commits

Reviewing files that changed from the base of the PR and between 1850d3f and f248042.

📒 Files selected for processing (1)

• packages/auth/src/server.ts

[github-actions]

🧹 Preview Cleanup Complete

The following preview resources have been cleaned up:

• ✅ Neon database branch
• ✅ Electric Fly.io app

Thank you for your contribution! 🎉