Katman
Plugins

Body Limit

Reject oversized request bodies with a guard — returns 413 Payload Too Large.

The body limit guard checks the Content-Length header before the procedure runs. If the body exceeds your threshold, the request is rejected with 413 Payload Too Large. Zero overhead for GET requests.

Usage

import {  } from "katman/plugins"

const  = k.mutation({
  : [({ : 5 * 1024 * 1024 })], // 5 MB
  : z.object({ : z.string() }),
  : ({ ,  }) => .storage.upload(),
})

When exceeded, the client receives:

{
  "code": "PAYLOAD_TOO_LARGE",
  "status": 413,
  "message": "Request body too large",
  "data": { "maxBytes": 5242880, "receivedBytes": 10485760 }
}

Options

OptionTypeDefaultDescription
maxBytesnumber1_048_576 (1 MB)Maximum body size in bytes
messagestring"Request body too large"Custom error message

Apply globally

Add the guard to every mutation via a shared middleware array:

const  = bodyLimitGuard({ : 2 * 1024 * 1024 })

const  = k.mutation({
  : [auth, ],
  : ({ ,  }) => .db.users.create(),
})

const  = k.mutation({
  : [auth, ],
  : ({ ,  }) => .db.posts.create(),
})

The guard only checks Content-Length. It does not buffer or measure the actual body stream. For streaming uploads, consider using a transport-level limit instead.

What's next?

Rate Limiting

Sliding window rate limiter — protect your API with in-memory or pluggable backends like Redis.

Strict GET

Enforce GET-only access on query procedures — prevents CSRF and accidental POST calls.

On this page

UsageOptionsApply globallyWhat's next?