docs: update rate limit policy (#9405)

# Which Problems Are Solved

The rate limit policy doesn't match the actually applied rate limits.

# How the Problems Are Solved

The rate limit policy is updated.

# Additional Conext

- https://github.com/caos/infra/pull/1141

---------

Co-authored-by: Florian Forster <florian@zitadel.com>

docs/docs/legal/policies/rate-limit-policy.md

@@ -3,7 +3,7 @@ title: Rate Limit Policy
 custom_edit_url: null
 ---
 
-Last updated on April 24, 2024
+Last updated on February 24, 2025
 
 This policy is an annex to the [Terms of Service](../terms-of-service) and clarifies your obligations while using our Services, specifically how we will use rate limiting to enforce certain aspects of our [Acceptable Use Policy](acceptable-use-policy).
 
@@ -15,7 +15,7 @@ To ensure the availability of our Services and to avoid slow or failed requests
 
 ZITADEL Clouds rate limit is built around a `IP` oriented model.
 Please be aware that we also utilize a service for DDoS mitigation.
-So if you simply change your `IP` address and run the same request again and again you might be get blocked at some point.
+So if you simply change your `IP` address and run the same request again and again you might get blocked at some point.
 
 If you are blocked you will receive a `http status 429`.
 
@@ -26,21 +26,19 @@ You should consider to implement [exponential backoff](https://en.wikipedia.org/
 :::info Raising limits
 We understand that there are certain scenarios where your users access ZITADEL from shared IP Addresses.
 For example if you use a corporate proxy or Network Address Translation NAT.
-Please [get in touch](https://zitadel.com/contact) with us to discuss your requirements and we'll find a solution.
+Please [get in touch](https://zitadel.com/contact) with us to discuss your requirements, and we'll find a solution.
 :::
 
 ## What rate limits do apply
 
-For ZITADEL Cloud, we have a rate limiting rule for login paths (login, register and reset features) and for API paths each.
+For ZITADEL Cloud, we have dedicated rate limits for the user interfaces (login, register, console,...) and the APIs.
 
 Rate limits are implemented with the following rules:
 
-| Path                 | Description                                                    | Rate Limiting                        | One Minute Banning                    |
+| Path                 | Description                            | Rate Limiting                        | One Minute Banning                    |
-| -------------------- | -------------------------------------------------------------- | ------------------------------------ | ------------------------------------- |
+|----------------------|----------------------------------------|--------------------------------------|---------------------------------------|
-| /ui/login\*          | Global Login, Register and Reset Limit                         | 10 requests per second over a minute | 15 requests per second over 3 minutes |
+| /ui/\*               | Global Login, Register and Reset Limit | 10 requests per second over a minute | 15 requests per second over 3 minutes |
-| /oauth/v2/keys       | OAuth/OpenID Public Keys Endpoint                              | 20 requests per second over a minute | 15 requests per second over 3 minutes |
+| All other paths      | All gRPC-, REST and OAuth APIs         | 50 requests per second over a minute | 50 requests per second over 3 minutes |
-| /oauth/v2/introspect | OAuth Introspection Endpoint                                   | 20 requests per second over a minute | 15 requests per second over 3 minutes |
-| All other paths      | All gRPC- and REST APIs as well as the ZITADEL Customer Portal | 10 requests per second over a minute | 10 requests per second over 3 minutes |
 
 ## Load Testing