Rate limits
One person submitting twice is normal. Hundreds of requests in a few seconds are not.
Rate limits control sustained traffic and short bursts for each form. Form Plume also uses a soft client fingerprint so one abusive source cannot consume the entire form's allowance. Rate limits are one of several signals that feed spam scoring.
What the limits are
There are two limits working together. A sustained per-minute rate covers steady traffic, and a smaller burst allowance covers a handful of submissions arriving back to back, which is what real people do when a page has more than one form or someone double-clicks. When a source drains its burst allowance faster than the sustained rate refills it, further requests are held off until the window recovers, the same short bursts that the time trap also watches for.
The limits are fixed rather than per-plan, and they are set high enough that normal form traffic never reaches them. You do not configure them, and you do not need to raise them for legitimate use. If you are hitting them, it is usually automated traffic or a client retrying in a tight loop, not real submitters.
When a request is limited
Form Plume returns 429 Too Many Requests and includes Retry-After.
JavaScript clients should wait before trying again:
if (response.status === 429) {
const wait = response.headers.get("Retry-After");
showError(`Too many attempts. Try again in ${wait} seconds.`);
}Do not retry immediately in a loop. That creates more traffic and keeps the client limited for longer.