FOSSBilling · admdly · May 24, 2026 · May 12, 2026 · May 12, 2026 · May 12, 2026
diff --git a/src/content/docs/customizing-fossbilling/config.mdoc b/src/content/docs/customizing-fossbilling/config.mdoc
@@ -101,21 +101,33 @@ Temporarily disable public access. Use `allowed_urls` for endpoints that must st
 
 ### API Settings
 
-Control API access and rate limiting. Use `require_referrer_header` to lock browser-originated requests to your install URL, `allowed_ips` for explicit allowlists, and the `rate_*` values to tune throttling.
+Control API access. Use `require_referrer_header` to lock browser-originated requests to your install URL, and `allowed_ips` for explicit allowlists.
 
 ```php
 'api' => [
     'require_referrer_header' => true,
     'allowed_ips' => [],
-    'rate_span' => 60,
-    'rate_limit' => 100,
-    'throttle_delay' => 2,
-    'rate_span_login' => 60,
-    'rate_limit_login' => 20,
     'CSRFPrevention' => true,
 ],
 ```
 
+### Rate Limiter
+FOSSBilling includes a built-in rate limiter which depends on Symfony's [rate limiter](https://symfony.com/doc/current/rate_limiter.html) component.
+
+`policies` is an empty array by default and inherits sensible defaults from [`FOSSBilling\Security\RateLimiter::getDefaultConfig()`](https://github.com/FOSSBilling/FOSSBilling/blob/9acf34ec12f908e01e516b7d54839e155b990b9d/src/library/FOSSBilling/Security/RateLimiter.php#L37).
+
+Any policy you explicitly set in the `policies` array will override the default one. We have included an example below. You can refer to their documentation on creating rate limiter policies.
+
+```php
+'rate_limiter' => [
+    'enabled' => true,
+    'whitelist_ips' => [], // Array of whitelisted IP addresses and CIDRs
+    'policies' => [
+        'client_signup' => ['policy' => 'fixed_window', 'limit' => 5, 'interval' => '1 hour'],
+    ],
+],
+```
+
 ## Environment Variables
 
 Some settings can be overridden via environment variables: