SMS Request Rate Limiter
When a user can repeatedly request SMS messages—such as one-time passcodes (OTPs)—without restriction, it can lead to a range of issues. These might include higher operating costs due to excessive SMS traffic, degraded user experience due to spam-like notification bursts, or even security vulnerabilities arising from automated attempts to overwhelm a recipient’s device. To address these concerns, the PhenixID Server implements a rate-limiting mechanism for SMS requests.
This feature ensures that SMS OTPs or other SMS-based messages are sent at a controlled pace, preventing any single recipient number from being flooded with messages. In practice, this means that when a user requests multiple SMS messages in quick succession, the system automatically places a temporary hold—also called a quarantine—on further requests. Once this quarantine period expires, the user can request SMS messages again.
Example (using default values): Suppose a user requests five SMS OTP codes to the same phone number within a span of 2.5 minutes. Because this is too rapid compared to the allowed moving average, the system quarantines that number for 10 minutes. During the quarantine period, no new SMS messages will be sent to that number. After 10 minutes, the rate limit resets, and the user can resume requesting SMS messages at a normal pace.
Note:
The parameters that control this behavior are global, meaning they apply to all SMS valves configured in the PhenixID environment. Adjusting these values can help you tailor the system’s responsiveness and prevent abuse while maintaining a smooth user experience.
Parameters
| Name | Description | Default value |
|---|---|---|
| request_interval_mean | The minimum average delay (in seconds) that should separate consecutive SMS requests. If users request messages faster than this average, the limiter will eventually impose a quarantine period. | 30 |
| request_lookback | The number of recent SMS requests considered when calculating the moving average. This defines the sample size of past requests the system evaluates before deciding to trigger a quarantine. | 5 |
| request_quarantine_period | The length of time (in seconds) that a recipient number is quarantined once the average delay between requests drops below the lower bound. After this quarantine, the rate limit resets, allowing normal requests again. | 600 |
| request_limiter_disabled | A boolean value that, when set to true, completely disables the SMS rate limiting functionality. Use this option carefully—while it provides unrestricted SMS requests, it may also expose you to abuse and higher costs. | false |
By understanding and configuring these parameters, you can strike the right balance between accommodating user needs and protecting your SMS infrastructure from excessive or abusive traffic.