Access Controls

Data access and protection

The public dataset is rendered as HTML. Direct assets are blocked, APIs are bounded, rate-limited, and logged.

Events Places Businesses Tables Access

403

Direct /data access

30/min

Bulk API limit

120/min

General API limit

100

Max API page

14 days

Log retention

Token

Log reader

Protected surfaces

9 rows

/data/* Blocked

Raw generated assets are not public export endpoints.

/api/events 30/min

Paginated, noindex, no-store, logged.

/api/places 30/min

Paginated, noindex, no-store, logged.

/api/businesses 30/min

Paginated, noindex, no-store, logged.

/api/businesses/category/* 30/min

Paginated, noindex, no-store, logged.

/api/logs/access 120/min

Requires API_LOG_TOKEN.

/chart-engine/*.json Blocked

Rendered SVG/HTML remains public; machine-readable chart metadata is not an export endpoint.

/chart-packs/packs.json Blocked

Topic-pack pages are public HTML; the generated manifest is protected.

/open-data/maps/manifest.json Blocked

Rendered SVG maps remain public; the generated map manifest is protected.

5 rows

X-TorontoList-Data-Policy public-html-rate-limited-api-no-bulk-data-assets

X-Robots-Tag noindex, nofollow, noarchive

Set on API and data responses.

Cache-Control no-store

Set on API and data responses.

CORS restricted

Allowed origins only.

LISTS_KV rate limits + access logs

Production binding in wrangler.toml.