Access denied | backboard.railway.com used Cloudflare to restrict access
develop
PROOP

a month ago

We are a team building an AI-powered programming product. After users develop and complete their websites, they need to deploy the project to the Railway platform. We provide a one-click deployment service for our users. On our server side, we call Railway's API to handle this deployment capability. Recently, we frequently encounter rate limiting on the API calls, which seriously impacts our users' experience and leads to complaints.

For example, when calling the interface to fetch deployment regions from our server, we get a rate limit error, as shown in this curl command:

curl -v -X POST https://backboard.railway.com/graphql/v2 \

    -H "Content-Type: application/json" \

    -H "Authorization: Bearer xxx" \

    -d '{

      "query": "query Regions($projectId: String) { regions(projectId: $projectId) { region name location country railwayMetal deploymentConstraints { adminOnly stagingOnly deprecationInfo { isDeprecated replacementRegion } } } }",

      "variables": {}

    }'

The logs look like the attached image (showing the rate limit error).

<title>Access denied | backboard.railway.com used Cloudflare to restrict access</title>

curl -v -X POST https://backboard.railway.com/graphql/v2 \

-H "Content-Type: application/json" -H "Authorization: Bearer xxx" -d '{ "query": "query Regions($projectId: String) { regions(projectId: $projectId) { region name location country railwayMetal deploymentConstraints { adminOnly s tagingOnly deprecationInfo { isDeprecated replacementRegion } } } }", "variables": {} }' Note: Unnecessary use of -X or --request, POST is already inferred.

  • Host backboard.railway.com:443 was resolved.

  • IPv6: 2606:4700::6812:1935, 2606:4700::6812:1835

  • IPv4: 104.18.25.53, 104.18.24.53

  • Trying [2606:4700::6812:1935]:443...

  • Immediate connect fail for 2606:4700::6812:1935: Network unreachable

  • Trying 104.18.25.53:443...

  • ALPN: curl offers h2,http/1.1

  • TLSv1.3 (OUT), TLS handshake, Client hello (1):

  • SSL Trust Anchors:

  • CAfile: /etc/ssl/certs/ca-certificates.crt

  • CApath: /etc/ssl/certs

  • TLSv1.3 (IN), TLS handshake, Server hello (2):

  • TLSv1.3 (IN), TLS change cipher, Change cipher spec (1):

  • TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):

  • TLSv1.3 (IN), TLS handshake, Certificate (11):

  • TLSv1.3 (IN), TLS handshake, CERT verify (15):

  • TLSv1.3 (IN), TLS handshake, Finished (20):

  • TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):

  • TLSv1.3 (OUT), TLS handshake, Finished (20):

  • SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / X25519MLKEM768 / id-ecPublicKey

  • ALPN: server accepted h2

  • Server certificate:

  • subject: CN=railway.com

  • start date: Feb 18 17:13:52 2026 GMT

  • expire date: May 19 18:13:45 2026 GMT

  • issuer: C=US; O=Google Trust Services; CN=WE1

  • Certificate level 0: Public key type EC/prime256v1 (256/128 Bits/secBits), signed using ecdsa-with-SHA256

  • Certificate level 1: Public key type EC/prime256v1 (256/128 Bits/secBits), signed using ecdsa-with-SHA384

  • Certificate level 2: Public key type EC/secp384r1 (384/192 Bits/secBits), signed using ecdsa-with-SHA384

  • subjectAltName: "backboard.railway.com" matches cert's "*.railway.com"

  • SSL certificate verified via OpenSSL.

  • Established connection to backboard.railway.com (104.18.25.53 port 443) from 192.168.148.61 port 58658

  • using HTTP/2

  • [HTTP/2] [1] OPENED stream for https://backboard.railway.com/graphql/v2

  • [HTTP/2] [1] [:method: POST]

  • [HTTP/2] [1] [:scheme: https]

  • [HTTP/2] [1] [:authority: backboard.railway.com]

  • [HTTP/2] [1] [:path: /graphql/v2]

  • [HTTP/2] [1] [user-agent: curl/8.17.0]

  • [HTTP/2] [1] [accept: /]

  • [HTTP/2] [1] [content-type: application/json]

  • [HTTP/2] [1] [authorization: Bearer 1068dcd4-37d2-4826-ae0c-0178d624cbb8]

  • [HTTP/2] [1] [content-length: 261]

POST /graphql/v2 HTTP/2 Host: backboard.railway.com User-Agent: curl/8.17.0 Accept: / Content-Type: application/json Authorization: Bearer 1068dcd4-37d2-4826-ae0c-0178d624cbb8 Content-Length: 261

  • upload completely sent off: 261 bytes

  • TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):

  • TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): < HTTP/2 429 < date: Thu, 05 Mar 2026 04:23:26 GMT < content-type: text/plain; charset=UTF-8 < content-length: 16 < retry-after: 20195 < x-frame-options: SAMEORIGIN < referrer-policy: same-origin < cache-control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 < expires: Thu, 01 Jan 1970 00:00:01 GMT < server: cloudflare < cf-ray: 9d7658638a6781b2-IAD <

  • Connection #0 to host backboard.railway.com:443 left intact

1 Replies

develop
PROOP

13 hours ago

Why does the Railway PRO version get rate-limited? 10,000 requests per hour, 50 QPS per second.

Loading...