Limits
Beta
This feature is in beta. Core behavior is stable, but some APIs or configuration may change before general availability.
Technical limits for EdgeBase App Functions.
Execution
| Limit | Default | Configurable | Notes |
|---|---|---|---|
| Max call depth | 5 | No | Prevents circular context.admin.functions.call() chains |
| Blocking hook timeout | 5 seconds | No | Fixed — beforeSignUp, beforeSignIn, onTokenRefresh, beforePasswordReset, beforeSignOut. On timeout the operation is rejected with 403 hook-rejected. |
| Non-blocking hook | No timeout | — | afterSignUp, afterSignIn, afterPasswordReset, afterSignOut, onDeleteAccount, onEmailVerified run via ctx.waitUntil() |
| Action handler timeout (Room) | 5 seconds | No | Per onAction execution |
| Schedule function timeout | 10 seconds | Yes | Defaults to 10s. Override with functions.scheduleFunctionTimeout. Applied by both Worker cron dispatch and DB-triggered schedule execution. |
| Alarm wall-clock budget | 30 seconds | No | Cloudflare DO Alarm limit; functions split if exceeded |
HTTP Triggers
| Feature | Details |
|---|---|
| Routing | Filesystem-based (SvelteKit style) |
| Dynamic params | [param].ts → context.params.param |
| Catch-all | [...slug].ts → context.params.slug |
| Route groups | (group)/file.ts → parentheses removed from URL |
| Methods | GET, POST, PUT, PATCH, DELETE (named exports) |
| Middleware | _middleware.ts applies to directory and subdirectories |
| Ignored files | _helper.ts (underscore prefix, not middleware) |
Database Triggers
| Trigger Event | Execution | Notes |
|---|---|---|
insert | Async (ctx.waitUntil()) | Never blocks API response |
update | Async (ctx.waitUntil()) | |
delete | Async (ctx.waitUntil()) | |
| Trigger error | Logged only | Best-effort; does not roll back the CUD operation |
Authentication Triggers
| Trigger Event | Type | Timeout | Notes |
|---|---|---|---|
beforeSignUp | Blocking | 5s (hardcoded) | Can reject signup; rejected with 403 hook-rejected on timeout |
beforeSignIn | Blocking | 5s (hardcoded) | Can reject signin; rejected with 403 hook-rejected on timeout |
onTokenRefresh | Blocking | 5s (hardcoded) | Can inject custom claims; on timeout the hook is skipped and the token is issued without hook claims (error is swallowed) |
afterSignUp | Non-blocking | None | ctx.waitUntil() |
afterSignIn | Non-blocking | None | ctx.waitUntil() |
beforePasswordReset | Blocking | 5s | Called on both reset-password and change-password |
afterPasswordReset | Non-blocking | None | ctx.waitUntil() |
beforeSignOut | Blocking | 5s | Can reject sign-out; rejected with 403 hook-rejected on timeout |
afterSignOut | Non-blocking | None | ctx.waitUntil() |
onDeleteAccount | Non-blocking | None | ctx.waitUntil() |
onEmailVerified | Non-blocking | None | ctx.waitUntil() |
Schedule Triggers
| Limit | Value | Notes |
|---|---|---|
| Cron syntax | Standard 5-field | Defined in edgebase.config.ts, deployed as Cloudflare Cron Triggers |
| Execution | Worker scheduled() handler | Each schedule function runs via ctx.waitUntil() |
| Concurrent execution | Parallel | Each schedule trigger runs independently in the Worker |
Rate Limiting
| Group | Default | Key | Configurable |
|---|---|---|---|
functions | 50 req / 60s | IP | Yes |
global | 10,000,000 req / 60s | IP | Yes |
Service Key requests bypass the functions group limit.
The same bypass semantics apply to all Admin SDKs.
FunctionError Codes
| Code | HTTP Status |
|---|---|
not-found | 404 |
permission-denied | 403 |
unauthenticated | 401 |
invalid-argument | 400 |
already-exists | 409 |
internal | 500 |
unavailable | 503 |
failed-precondition | 412 |
resource-exhausted | 429 |