Spanly Docs
Gateway

Edge protection

Rate limiting, request size caps, and IP rules the gateway enforces before traffic reaches your server.

All edge controls are optional and off (or wide open) by default. Configure them on the Gateway tab.

Rate limiting

Turn on rate limiting to protect your upstream. You set requests per minute and a burst allowance, applied per client. The client is identified by its gateway client key if you use one, otherwise by a hash of its Authorization header, otherwise by IP.

When a client exceeds the limit the gateway returns HTTP 429 with a Retry-After header and a JSON-RPC error body. These rejections are captured, so you can see rate-limit pressure in your dashboard.

Request size cap

The gateway rejects request bodies larger than the size cap (4 MiB by default, configurable from 64 KiB to 64 MiB) with HTTP 413 before they reach your server. This is separate from what Spanly captures; it only bounds what your upstream receives.

Bodies that are not JSON at all are rejected with HTTP 400. Valid JSON that omits the jsonrpc field is forwarded unchanged, so the gateway never blocks a legitimate MCP client.

IP rules

Restrict access to specific IP ranges, or block a source, with CIDR lists. Enter one CIDR per line. An empty allow list allows every source. Blocks always win over the allow list. Denied requests get HTTP 403. Behind the gateway, the client IP is taken from the trusted forwarding hop, so inbound X-Forwarded-For spoofing cannot bypass the rules.

On this page