Limits & quotas

The edge enforces a few caps. When you self-host, they live in beamd.yaml; on the hosted service they vary by tier.

Concurrent tunnels

max_tunnels_per_token caps how many tunnels one credential can hold at once — default 25. If you open many short-lived previews (e.g. per-branch or per-PR), beamd close the ones you no longer need so you don't hit the cap. Hitting it surfaces as an over_limit error on the next open.

Request body size

max_request_body_bytes caps each public request body — default 32 MiB (33554432). Oversized requests get HTTP 413. Set it to -1 to disable the cap (self-host only).

Tunnel names

A tunnel name is a single RFC 1123 label — lowercase letters, digits, and hyphens, one level deep. The wildcard cert is exactly *.<base> (or *.<slug>.<base>), so nested labels (a.b) won't get a cert or resolve. Encode structure with hyphens. See Naming.

What isn't limited

• No per-IP request rate limiting. The body cap is the only request-size guard; there's no built-in WAF or per-IP throttle. If you self-host and are exposed to abuse, put a fronting proxy or your DNS provider's WAF in front. See Production.
• No HA on a single edge. One beamd serve process is one point of failure — run more than one region if you need redundancy.

Reconnection (not a limit)

Tunnels survive network blips: if the connection drops, the client reconnects and replays its registrations automatically, so URLs stay stable across a restart of the edge or a flaky network.