Limits & guardrails

Comwit Cloud puts a few deliberate guardrails in place to keep your projects safe and predictable. Some are hard limits (a value the API enforces), some are safety checks (it refuses an operation that could hurt the platform), and some are features that are designed but not yet live. This page collects them all in one place so you know what to expect before you hit them.

If you are brand new, you don’t need to memorize any of this — start with Quickstart and come back here when something gets rejected.

At a glance

Guardrail	Where it applies	What happens
App env values are plain only	Apps	secret: true is rejected with 400
Lists are unpaginated	API (all list routes)	All items returned; pagination is planned
Query token TTL is bounded	Databases	ttl_seconds must be 1–3600
Protected database tenants	Databases	Lifecycle ops rejected with 403
Active project-domain limit	Domains	New domains rejected once the limit is hit
Domain purchase	Domains	Planned, not yet live
Idempotency-Key + async operations	API	Planned, not yet live
Database tokens returned once	Databases	Never stored — copy it immediately

Databases

See Manage databases and Run SQL for the full flows.

• Connection tokens are shown once and never stored. When you create or rotate a database, the response includes a database_token. Comwit never keeps a copy of your raw tenant token — copy it into your app’s secret store immediately. If you lose it, rotate the token to get a fresh one (the previous token then stops working).
• Query token TTL is bounded to 1–3600 seconds. Short-lived query tokens (used by the console SQL editor and POST /v1/databases/{database}/query-token) take a ttl_seconds value that must fall between 1 second and 3600 seconds (one hour). Use these for transient SQL access so you never expose the durable connection token to a browser session.
• Platform-critical database tenants are protected. A small set of Louhi tenants (for example louhi-app and comwit-db-synthetic) are guarded by the platform. Suspend, resume, delete, rotate, and query-token operations against a protected tenant are rejected with 403. This is a launch safety guard, not a substitute for normal project authorization.
• db.cloud.comwit.io is a data endpoint only. Management, docs, and debug paths are blocked on the public database listener. All lifecycle operations go through the platform API, not the data host.

Copy your token now

A new database_token (from create or rotate) is the only time you’ll see that secret. There is no “show token again” — if you lose it, you must rotate.

Apps

See Environment & secrets for details.

• Environment values are plain only. Setting secret: true on an app environment variable is rejected with 400 (“secret app env values are not enabled”). The live policy does not use a managed secret backend for app env, so store plain config here and keep real secrets out until a secret backend is intentionally enabled. See Deploy an app for how env values are applied.

Note

This is a policy guardrail, not a bug. If you try to mark an env value as a secret, expect a clear 400 rather than a silent acceptance.

Domains

See Bring your own domain for the delegated-DNS flow.

• There is a per-project limit on active project domains. A configurable cost/quota guard caps how many domains a single project can have onboarded at once. The limit is checked before the Route 53 hosted zone is created, so you’re told up front rather than mid-operation.
• Domain purchase (registrar) is planned, not live. Delegated DNS for a domain you already own is fully live. Buying a brand-new domain through Comwit is designed but not yet implemented.

Domain purchase is planned

The registrar/purchase routes (domain availability, pricing, and orders) are designed but not yet implemented. Today, onboard a domain you already own via the delegated-DNS flow in Bring your own domain. When purchase ships, it will return an async order resource rather than pretending registration is instant.

API

See the API overview and Errors & idempotency for behavior across all routes.

• Lists are currently unpaginated. Every list route (databases, apps, builds, domains, records, projects) returns all items in one response. Page-size and page-token pagination is planned but not yet live.
• Generic idempotency keys and async operations are planned. The API is synchronous wherever the upstream control plane is synchronous. Several specific spots are already retry-safe today — project-domain create returns the existing domain if present, hosted-zone creation uses a deterministic caller reference, DNS record delete treats “already gone” as success, and app domain attach/finalize and app delete are re-entrant. A general-purpose Idempotency-Key header plus operation resources for long-running workflows is planned, not yet live.

Planned: pagination & idempotency keys

Until pagination lands, don’t assume a list is truncated — it isn’t. Until a generic Idempotency-Key is supported, rely on the per-route retry-safety described in Errors & idempotency rather than sending your own idempotency header.

Where each guardrail comes from

• Database limits and protected tenants → Run SQL and Manage databases
• App env policy → Environment & secrets
• Project-domain limit and purchase status → Bring your own domain
• Pagination and idempotency → Errors & idempotency