Limits & resource controls 

    A few settings bound request sizes and key-version lifetime so a runaway caller or an ever-growing key history can't surprise you.

    Request-size caps 

    max-encrypt-size and max-payload-size (each default 1 MiB) bound request sizes:

    SettingBounds
    max-encrypt-sizeencrypt plaintext / decrypt ciphertext.
    max-payload-sizeset value / import material.

    An over-cap request returns PAYLOAD_TOO_LARGE (gRPC ResourceExhausted). Raise the limit or chunk the data. See the error reference.

    max-encrypt-size = 1048576   # 1 MiB
    max-payload-size = 1048576   # 1 MiB

    Key-version lifetime 

    grace-versions and the retention sweep bound how long old key versions stick around:

    SettingBounds
    grace-versionsHow many recent versions still verify/decrypt after a rotation. Default 1; 0 = newest only.
    retain-versionsRetention floor; the sweep prunes archived versions below it. Omit to retain all.
    retention-sweep-secsSweep interval (seconds). Default 3600; 0 disables.

    These are covered in depth under Rotating keys.

    Roadmap 

    Per-uid/key/op rate limits, key-usage quotas, and emergency freeze by key/uid/operation are roadmap. See the feature matrix.

    Where to go next