diff --git a/CLAUDE.md b/CLAUDE.md
index af61a78..d192324 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -169,6 +169,18 @@ ruff check .
 - **abi_extractor.py**: Regex-based ABI extraction from Stylus Rust code (no Docker needed)
 - **compiler_verifier.py**: Docker-based `cargo check` with structured error parsing and LLM fix loop
 
+### Rate Limits (`apps/web/src/lib/rateLimit.ts`)
+- Two-window enforcement (per-minute burst + per-day total), per-key (or per-user for session auth), per-category (chat and tool counters are independent). Whichever window is exhausted first triggers 429.
+- KV keys: `rl:{subject}:{category}:m:{YYYY-MM-DDTHH:MM}` (TTL 120s) and `rl:{subject}:{category}:d:{YYYY-MM-DD}` (TTL 48h).
+- Tiers (code-defined; only the name lives in `api_keys.rate_limit_tier`):
+  - `free` (default): 100/min, 1000/day
+  - `pro`: 500/min, 10000/day
+  - `unlimited`: 10K/min, 1M/day (effectively uncapped)
+- Enforcement points: `/api/v1/chat/completions`, every `/api/v1/tools/*` route, and `tools/call` on `/mcp`. Admin requests (`AUTH_SECRET` Bearer) bypass.
+- Headers on every response: bottleneck `X-RateLimit-Limit/-Remaining/-Reset`, plus per-window `-Minute` and `-Day` variants, plus `X-RateLimit-Tier`. 429 also carries `Retry-After` for the denying window.
+- `GET /api/v1/usage` returns current counter state without incrementing — for client-side planning.
+- Tier management: `GET/PATCH /api/admin/rate-limits` (admin secret), surfaced in `/dashboard/admin` under the "Rate Limits" tab.
+
 ### Worker-Native Ingestion Pipeline (`apps/web/src/lib/`)
 - **scraper.ts**: Web documentation scraping via HTMLRewriter + regex HTML-to-markdown
 - **github.ts**: GitHub repo scraping via Trees API + Contents API (no tarball)
diff --git a/README.md b/README.md
index e910e23..10f880c 100644
--- a/README.md
+++ b/README.md
@@ -561,7 +561,7 @@ https://arbuilder.app/mcp
 
 - Requires `arb_` API key from dashboard
 - Usage tracked per API key
-- Rate limited per free tier (100 calls/day)
+- Rate limited per tier with two windows (burst per minute + total per day). Free tier: 100 req/min and 1000 req/day, applied separately to chat and tool calls. Admin can promote keys to `pro` (500/min, 10K/day) or `unlimited` from the admin dashboard. Every response carries `X-RateLimit-*` headers.
 
 ### Chat Completions API (OpenAI-compatible)
 
diff --git a/apps/web/migrations/0005_rate_limits.sql b/apps/web/migrations/0005_rate_limits.sql
new file mode 100644
index 0000000..7e3c3a8
--- /dev/null
+++ b/apps/web/migrations/0005_rate_limits.sql
@@ -0,0 +1,5 @@
+-- Add rate_limit_tier to api_keys for tier-based daily quotas.
+-- Tiers: 'free' (default), 'pro', 'unlimited'.
+-- Limits live in code (apps/web/src/lib/rateLimit.ts) so they can be tuned
+-- without a migration; this column only carries the tier name.
+ALTER TABLE api_keys ADD COLUMN rate_limit_tier TEXT NOT NULL DEFAULT 'free';
diff --git a/apps/web/src/app/api/admin/rate-limits/route.ts b/apps/web/src/app/api/admin/rate-limits/route.ts
new file mode 100644
index 0000000..e0c8a4b
--- /dev/null
+++ b/apps/web/src/app/api/admin/rate-limits/route.ts
@@ -0,0 +1,128 @@
+/**
+ * Admin API for managing per-key rate-limit tiers.
+ *
+ *   GET    /api/admin/rate-limits             — list all api_keys with tier + recent usage
+ *   PATCH  /api/admin/rate-limits             — body: { keyId, tier } — update tier on a key
+ *
+ * Headers: X-Admin-Secret: <AUTH_SECRET>
+ *
+ * Tiers are validated against TIER_LIMITS in @/lib/rateLimit.
+ */
+
+import { NextRequest, NextResponse } from "next/server";
+import { getCloudflareContext } from "@opennextjs/cloudflare";
+import { getLimitsForTier, type RateLimitTier } from "@/lib/rateLimit";
+
+const VALID_TIERS: RateLimitTier[] = ["free", "pro", "unlimited"];
+
+function verifyAuth(request: NextRequest, authSecret: string): boolean {
+  return request.headers.get("X-Admin-Secret") === authSecret;
+}
+
+interface KeyRow {
+  id: string;
+  user_id: string;
+  user_email: string | null;
+  key_prefix: string;
+  name: string | null;
+  rate_limit_tier: string;
+  created_at: string;
+  last_used_at: string | null;
+  revoked_at: string | null;
+  calls_24h: number;
+}
+
+export async function GET(request: NextRequest) {
+  try {
+    const { env } = getCloudflareContext();
+    if (!verifyAuth(request, env.AUTH_SECRET)) {
+      return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+    }
+
+    const since = new Date(Date.now() - 24 * 60 * 60 * 1000).toISOString();
+
+    const result = await env.DB
+      .prepare(
+        `SELECT k.id, k.user_id, u.email AS user_email, k.key_prefix, k.name,
+                k.rate_limit_tier, k.created_at, k.last_used_at, k.revoked_at,
+                COALESCE(c.cnt, 0) AS calls_24h
+         FROM api_keys k
+         LEFT JOIN users u ON u.id = k.user_id
+         LEFT JOIN (
+           SELECT api_key_id, COUNT(*) AS cnt
+           FROM usage_logs
+           WHERE created_at >= ?
+           GROUP BY api_key_id
+         ) c ON c.api_key_id = k.id
+         ORDER BY k.created_at DESC
+         LIMIT 500`,
+      )
+      .bind(since)
+      .all<KeyRow>();
+
+    const keys = (result.results ?? []).map((r) => {
+      const lim = getLimitsForTier(r.rate_limit_tier);
+      return {
+        id: r.id,
+        userId: r.user_id,
+        userEmail: r.user_email,
+        keyPrefix: r.key_prefix,
+        name: r.name,
+        tier: r.rate_limit_tier,
+        limits: { perMinute: lim.perMinute, perDay: lim.perDay },
+        createdAt: r.created_at,
+        lastUsedAt: r.last_used_at,
+        revokedAt: r.revoked_at,
+        calls24h: r.calls_24h,
+      };
+    });
+
+    return NextResponse.json({ tiers: VALID_TIERS, keys });
+  } catch (e) {
+    console.error("admin/rate-limits GET failed:", e);
+    return NextResponse.json({ error: (e as Error).message || String(e) }, { status: 500 });
+  }
+}
+
+export async function PATCH(request: NextRequest) {
+  try {
+    const { env } = getCloudflareContext();
+    if (!verifyAuth(request, env.AUTH_SECRET)) {
+      return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+    }
+
+    const body = (await request.json().catch(() => ({}))) as {
+      keyId?: string;
+      tier?: string;
+    };
+    if (!body.keyId || !body.tier) {
+      return NextResponse.json({ error: "Missing keyId or tier" }, { status: 400 });
+    }
+    if (!VALID_TIERS.includes(body.tier as RateLimitTier)) {
+      return NextResponse.json(
+        { error: `Invalid tier. Must be one of: ${VALID_TIERS.join(", ")}` },
+        { status: 400 },
+      );
+    }
+
+    const r = await env.DB
+      .prepare(`UPDATE api_keys SET rate_limit_tier = ? WHERE id = ?`)
+      .bind(body.tier, body.keyId)
+      .run();
+
+    if (r.meta.changes === 0) {
+      return NextResponse.json({ error: "Key not found" }, { status: 404 });
+    }
+
+    const lim = getLimitsForTier(body.tier);
+    return NextResponse.json({
+      ok: true,
+      keyId: body.keyId,
+      tier: body.tier,
+      limits: { perMinute: lim.perMinute, perDay: lim.perDay },
+    });
+  } catch (e) {
+    console.error("admin/rate-limits PATCH failed:", e);
+    return NextResponse.json({ error: (e as Error).message || String(e) }, { status: 500 });
+  }
+}
diff --git a/apps/web/src/app/api/keys/usage/route.ts b/apps/web/src/app/api/keys/usage/route.ts
new file mode 100644
index 0000000..cea6703
--- /dev/null
+++ b/apps/web/src/app/api/keys/usage/route.ts
@@ -0,0 +1,102 @@
+/**
+ * GET /api/keys/usage
+ *
+ * Session-auth only. Returns current rate-limit counters and 24h activity
+ * for every active key owned by the logged-in user. Used by /dashboard/keys
+ * to render per-key usage widgets without making the user paste their keys.
+ *
+ * Like /api/v1/usage, this does NOT increment any counter.
+ */
+
+import { NextResponse } from "next/server";
+import { getCloudflareContext } from "@opennextjs/cloudflare";
+import { auth } from "@/auth";
+import { peekUsage, getLimitsForTier } from "@/lib/rateLimit";
+
+interface KeyRow {
+  id: string;
+  rate_limit_tier: string;
+  last_used_at: string | null;
+}
+
+interface UsageRow {
+  api_key_id: string;
+  total: number;
+  ok: number | null;
+  last: string | null;
+}
+
+export async function GET() {
+  try {
+    const session = await auth();
+    if (!session?.user?.id) {
+      return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+    }
+
+    const { env } = getCloudflareContext();
+
+    const keysRes = await env.DB
+      .prepare(
+        `SELECT id, rate_limit_tier, last_used_at
+         FROM api_keys
+         WHERE user_id = ? AND revoked_at IS NULL`,
+      )
+      .bind(session.user.id)
+      .all<KeyRow>();
+
+    const keys = keysRes.results ?? [];
+    if (keys.length === 0) return NextResponse.json({ usage: {} });
+
+    // Single 24h-window aggregate query for all of the user's keys.
+    const since = new Date(Date.now() - 24 * 60 * 60 * 1000).toISOString();
+    const placeholders = keys.map(() => "?").join(",");
+    const params = [...keys.map((k) => k.id), since];
+    const usageRes = await env.DB
+      .prepare(
+        `SELECT api_key_id,
+                COUNT(*) AS total,
+                SUM(success) AS ok,
+                MAX(created_at) AS last
+         FROM usage_logs
+         WHERE api_key_id IN (${placeholders}) AND created_at >= ?
+         GROUP BY api_key_id`,
+      )
+      .bind(...params)
+      .all<UsageRow>();
+
+    const recentByKey = new Map<string, UsageRow>();
+    for (const r of usageRes.results ?? []) recentByKey.set(r.api_key_id, r);
+
+    // Read live counters from KV per key + category in parallel.
+    const peeks = await Promise.all(
+      keys.flatMap((k) => [
+        peekUsage(env.KV, `key:${k.id}`, "chat", k.rate_limit_tier).then((d) => ({ id: k.id, cat: "chat" as const, d })),
+        peekUsage(env.KV, `key:${k.id}`, "tool", k.rate_limit_tier).then((d) => ({ id: k.id, cat: "tool" as const, d })),
+      ]),
+    );
+
+    const usage: Record<string, unknown> = {};
+    for (const k of keys) {
+      const chat = peeks.find((p) => p.id === k.id && p.cat === "chat")!.d;
+      const tool = peeks.find((p) => p.id === k.id && p.cat === "tool")!.d;
+      const r = recentByKey.get(k.id);
+      const total = r?.total ?? 0;
+      usage[k.id] = {
+        tier: k.rate_limit_tier,
+        limits: getLimitsForTier(k.rate_limit_tier),
+        chat: { minute: chat.minute, day: chat.day },
+        tool: { minute: tool.minute, day: tool.day },
+        recent: {
+          calls24h: total,
+          lastCallAt: r?.last ?? null,
+          successRate: total > 0 ? (r?.ok ?? 0) / total : null,
+        },
+      };
+    }
+
+    return NextResponse.json({ usage });
+  } catch (e) {
+    console.error("/api/keys/usage failed:", e);
+    return NextResponse.json({ error: (e as Error).message || String(e) }, { status: 500 });
+  }
+}
diff --git a/apps/web/src/app/api/v1/chat/completions/route.ts b/apps/web/src/app/api/v1/chat/completions/route.ts
index 29b949d..6ce4719 100644
--- a/apps/web/src/app/api/v1/chat/completions/route.ts
+++ b/apps/web/src/app/api/v1/chat/completions/route.ts
@@ -12,6 +12,7 @@ import { getCloudflareContext } from "@opennextjs/cloudflare";
 import { validateRequest } from "@/lib/auth/validateRequest";
 import { runAgentNonStreaming, runAgentStreaming } from "@/lib/chat/agent";
 import { encodeSSEChunk, encodeSSEDone, encodeSSEError } from "@/lib/chat/streaming";
+import { enforceRateLimit, rateLimitHeaders, subjectFor } from "@/lib/rateLimit";
 import type {
   ChatCompletionRequest,
   ChatCompletionResponse,
@@ -26,9 +27,10 @@ function errorResponse(
   type: string,
   status: number,
   code?: string,
+  extraHeaders?: Record<string, string>,
 ): NextResponse {
   const body: OpenAIErrorBody = { error: { message, type, code: code ?? null } };
-  return NextResponse.json(body, { status });
+  return NextResponse.json(body, { status, headers: extraHeaders });
 }
 
 async function logChatUsage(
@@ -76,6 +78,25 @@ export async function POST(request: NextRequest) {
     );
   }
 
+  // Rate limit — per-key for arb_ keys, per-user for session auth, bypass for admin.
+  const subj = subjectFor(auth);
+  let rlHeaders: Record<string, string> = {};
+  if (subj) {
+    const decision = await enforceRateLimit(env.KV, subj.subject, "chat", subj.tier);
+    rlHeaders = rateLimitHeaders(decision);
+    if (!decision.allowed) {
+      const denyWindow = decision.exceededWindow === "minute" ? decision.minute : decision.day;
+      const label = decision.exceededWindow === "minute" ? "per-minute" : "per-day";
+      return errorResponse(
+        `Chat rate limit exceeded (${label}: ${denyWindow.limit} on tier '${decision.tier}'). Try again in ${denyWindow.resetSeconds}s.`,
+        "rate_limit_exceeded",
+        429,
+        undefined,
+        rlHeaders,
+      );
+    }
+  }
+
   // Parse body.
   let body: ChatCompletionRequest;
   try {
@@ -159,6 +180,7 @@ export async function POST(request: NextRequest) {
         "Content-Type": "text/event-stream",
         "Cache-Control": "no-cache, no-transform",
         Connection: "keep-alive",
+        ...rlHeaders,
       },
     });
   }
@@ -187,7 +209,7 @@ export async function POST(request: NextRequest) {
         env.DB, apiKeyId, result.toolCallNames, result.usage.total_tokens, Date.now() - start, true,
       );
     }
-    return NextResponse.json(response);
+    return NextResponse.json(response, { headers: rlHeaders });
   } catch (e) {
     const msg = (e as Error).message || String(e);
     if (apiKeyId) {
diff --git a/apps/web/src/app/api/v1/tools/ask-bridging/route.ts b/apps/web/src/app/api/v1/tools/ask-bridging/route.ts
index 6ed91b0..70ca04d 100644
--- a/apps/web/src/app/api/v1/tools/ask-bridging/route.ts
+++ b/apps/web/src/app/api/v1/tools/ask-bridging/route.ts
@@ -2,12 +2,15 @@ import { NextRequest, NextResponse } from "next/server";
 import { askBridging, type AskBridgingInput } from "@/lib/tools/askBridging";
 import { getCloudflareContext } from "@opennextjs/cloudflare";
 import { validateRequest } from "@/lib/auth/validateRequest";
+import { checkToolRateLimit } from "@/lib/rateLimit";
 
 export async function POST(request: NextRequest) {
   try {
     const { env } = getCloudflareContext();
     const auth = await validateRequest(request, env.DB, env.AUTH_SECRET);
     if (!auth.success) return auth.response;
+    const rl = await checkToolRateLimit(env.KV, auth);
+    if ("response" in rl) return rl.response;
 
     if (!env.OPENROUTER_API_KEY) {
       return NextResponse.json(
@@ -36,7 +39,7 @@ export async function POST(request: NextRequest) {
       }
     );
 
-    return NextResponse.json(result);
+    return NextResponse.json(result, { headers: rl.headers });
   } catch (error) {
     const message = error instanceof Error ? error.message : String(error);
     console.error("Error in askBridging:", message, error);
diff --git a/apps/web/src/app/api/v1/tools/ask-orbit/route.ts b/apps/web/src/app/api/v1/tools/ask-orbit/route.ts
index d6b0d80..e2e7b61 100644
--- a/apps/web/src/app/api/v1/tools/ask-orbit/route.ts
+++ b/apps/web/src/app/api/v1/tools/ask-orbit/route.ts
@@ -2,12 +2,15 @@ import { NextRequest, NextResponse } from "next/server";
 import { askOrbit, type AskOrbitInput } from "@/lib/tools/askOrbit";
 import { getCloudflareContext } from "@opennextjs/cloudflare";
 import { validateRequest } from "@/lib/auth/validateRequest";
+import { checkToolRateLimit } from "@/lib/rateLimit";
 
 export async function POST(request: NextRequest) {
   try {
     const { env } = getCloudflareContext();
     const auth = await validateRequest(request, env.DB, env.AUTH_SECRET);
     if (!auth.success) return auth.response;
+    const rl = await checkToolRateLimit(env.KV, auth);
+    if ("response" in rl) return rl.response;
 
     if (!env.OPENROUTER_API_KEY) {
       return NextResponse.json(
@@ -35,7 +38,7 @@ export async function POST(request: NextRequest) {
       }
     );
 
-    return NextResponse.json(result);
+    return NextResponse.json(result, { headers: rl.headers });
   } catch (error) {
     const message = error instanceof Error ? error.message : String(error);
     console.error("Error in askOrbit:", message, error);
diff --git a/apps/web/src/app/api/v1/tools/ask/route.ts b/apps/web/src/app/api/v1/tools/ask/route.ts
index f91e3e8..70732b8 100644
--- a/apps/web/src/app/api/v1/tools/ask/route.ts
+++ b/apps/web/src/app/api/v1/tools/ask/route.ts
@@ -2,6 +2,7 @@ import { NextRequest, NextResponse } from "next/server";
 import { askStylus, type AskStylusInput } from "@/lib/tools/askStylus";
 import { getCloudflareContext } from "@opennextjs/cloudflare";
 import { validateRequest } from "@/lib/auth/validateRequest";
+import { checkToolRateLimit } from "@/lib/rateLimit";
 
 
 export async function POST(request: NextRequest) {
@@ -12,6 +13,8 @@ export async function POST(request: NextRequest) {
     // Validate request (supports both user API keys and admin secret)
     const auth = await validateRequest(request, env.DB, env.AUTH_SECRET);
     if (!auth.success) return auth.response;
+    const rl = await checkToolRateLimit(env.KV, auth);
+    if ("response" in rl) return rl.response;
 
     // Check for OpenRouter API key
     if (!env.OPENROUTER_API_KEY) {
@@ -43,7 +46,7 @@ export async function POST(request: NextRequest) {
       }
     );
 
-    return NextResponse.json(result);
+    return NextResponse.json(result, { headers: rl.headers });
   } catch (error) {
     const message = error instanceof Error ? error.message : String(error);
     console.error("Error in askStylus:", message, error);
diff --git a/apps/web/src/app/api/v1/tools/backend/route.ts b/apps/web/src/app/api/v1/tools/backend/route.ts
index 82b0e63..e17fa27 100644
--- a/apps/web/src/app/api/v1/tools/backend/route.ts
+++ b/apps/web/src/app/api/v1/tools/backend/route.ts
@@ -2,12 +2,15 @@ import { NextRequest, NextResponse } from "next/server";
 import { generateBackend } from "@/lib/tools/generateBackend";
 import { getCloudflareContext } from "@opennextjs/cloudflare";
 import { validateRequest } from "@/lib/auth/validateRequest";
+import { checkToolRateLimit } from "@/lib/rateLimit";
 
 export async function POST(request: NextRequest) {
   try {
     const { env } = getCloudflareContext();
     const auth = await validateRequest(request, env.DB, env.AUTH_SECRET);
     if (!auth.success) return auth.response;
+    const rl = await checkToolRateLimit(env.KV, auth);
+    if ("response" in rl) return rl.response;
 
     const body = (await request.json()) as {
       prompt?: string;
@@ -30,7 +33,7 @@ export async function POST(request: NextRequest) {
       features: body.features,
     });
 
-    return NextResponse.json(result);
+    return NextResponse.json(result, { headers: rl.headers });
   } catch (error) {
     const message = error instanceof Error ? error.message : String(error);
     console.error("Error in generateBackend:", message, error);
diff --git a/apps/web/src/app/api/v1/tools/bridge/route.ts b/apps/web/src/app/api/v1/tools/bridge/route.ts
index 398d86b..3bbe72e 100644
--- a/apps/web/src/app/api/v1/tools/bridge/route.ts
+++ b/apps/web/src/app/api/v1/tools/bridge/route.ts
@@ -2,12 +2,15 @@ import { NextRequest, NextResponse } from "next/server";
 import { generateBridgeCode } from "@/lib/tools/generateBridgeCode";
 import { getCloudflareContext } from "@opennextjs/cloudflare";
 import { validateRequest } from "@/lib/auth/validateRequest";
+import { checkToolRateLimit } from "@/lib/rateLimit";
 
 export async function POST(request: NextRequest) {
   try {
     const { env } = getCloudflareContext();
     const auth = await validateRequest(request, env.DB, env.AUTH_SECRET);
     if (!auth.success) return auth.response;
+    const rl = await checkToolRateLimit(env.KV, auth);
+    if ("response" in rl) return rl.response;
 
     const body = (await request.json()) as {
       bridgeType?: string;
@@ -30,7 +33,7 @@ export async function POST(request: NextRequest) {
       destinationAddress: body.destinationAddress,
     });
 
-    return NextResponse.json(result);
+    return NextResponse.json(result, { headers: rl.headers });
   } catch (error) {
     const message = error instanceof Error ? error.message : String(error);
     console.error("Error in generateBridgeCode:", message, error);
diff --git a/apps/web/src/app/api/v1/tools/context/route.ts b/apps/web/src/app/api/v1/tools/context/route.ts
index b14fc91..1761b1b 100644
--- a/apps/web/src/app/api/v1/tools/context/route.ts
+++ b/apps/web/src/app/api/v1/tools/context/route.ts
@@ -2,6 +2,7 @@ import { NextRequest, NextResponse } from "next/server";
 import { getStylusContext, type GetStylusContextInput } from "@/lib/tools/getStylusContext";
 import { getCloudflareContext } from "@opennextjs/cloudflare";
 import { validateRequest } from "@/lib/auth/validateRequest";
+import { checkToolRateLimit } from "@/lib/rateLimit";
 
 
 export async function POST(request: NextRequest) {
@@ -12,6 +13,8 @@ export async function POST(request: NextRequest) {
     // Validate request (supports both user API keys and admin secret)
     const auth = await validateRequest(request, env.DB, env.AUTH_SECRET);
     if (!auth.success) return auth.response;
+    const rl = await checkToolRateLimit(env.KV, auth);
+    if ("response" in rl) return rl.response;
 
     // Parse request body
     const body = (await request.json()) as GetStylusContextInput;
@@ -31,7 +34,7 @@ export async function POST(request: NextRequest) {
       rerank: body.rerank ?? true,
     });
 
-    return NextResponse.json(result);
+    return NextResponse.json(result, { headers: rl.headers });
   } catch (error) {
     const message = error instanceof Error ? error.message : String(error);
     console.error("Error in getStylusContext:", message, error);
diff --git a/apps/web/src/app/api/v1/tools/frontend/route.ts b/apps/web/src/app/api/v1/tools/frontend/route.ts
index 704e89e..9b78a63 100644
--- a/apps/web/src/app/api/v1/tools/frontend/route.ts
+++ b/apps/web/src/app/api/v1/tools/frontend/route.ts
@@ -2,12 +2,15 @@ import { NextRequest, NextResponse } from "next/server";
 import { generateFrontend } from "@/lib/tools/generateFrontend";
 import { getCloudflareContext } from "@opennextjs/cloudflare";
 import { validateRequest } from "@/lib/auth/validateRequest";
+import { checkToolRateLimit } from "@/lib/rateLimit";
 
 export async function POST(request: NextRequest) {
   try {
     const { env } = getCloudflareContext();
     const auth = await validateRequest(request, env.DB, env.AUTH_SECRET);
     if (!auth.success) return auth.response;
+    const rl = await checkToolRateLimit(env.KV, auth);
+    if ("response" in rl) return rl.response;
 
     const body = (await request.json()) as {
       prompt?: string;
@@ -30,7 +33,7 @@ export async function POST(request: NextRequest) {
       template: body.template as "base" | "dashboard" | "token" | undefined,
     });
 
-    return NextResponse.json(result);
+    return NextResponse.json(result, { headers: rl.headers });
   } catch (error) {
     const message = error instanceof Error ? error.message : String(error);
     console.error("Error in generateFrontend:", message, error);
diff --git a/apps/web/src/app/api/v1/tools/generate/route.ts b/apps/web/src/app/api/v1/tools/generate/route.ts
index 89c3de3..c42cefd 100644
--- a/apps/web/src/app/api/v1/tools/generate/route.ts
+++ b/apps/web/src/app/api/v1/tools/generate/route.ts
@@ -2,6 +2,7 @@ import { NextRequest, NextResponse } from "next/server";
 import { generateStylusCode, type GenerateStylusCodeInput } from "@/lib/tools/generateStylusCode";
 import { getCloudflareContext } from "@opennextjs/cloudflare";
 import { validateRequest } from "@/lib/auth/validateRequest";
+import { checkToolRateLimit } from "@/lib/rateLimit";
 
 
 export async function POST(request: NextRequest) {
@@ -12,6 +13,8 @@ export async function POST(request: NextRequest) {
     // Validate request (supports both user API keys and admin secret)
     const auth = await validateRequest(request, env.DB, env.AUTH_SECRET);
     if (!auth.success) return auth.response;
+    const rl = await checkToolRateLimit(env.KV, auth);
+    if ("response" in rl) return rl.response;
 
     // Check for OpenRouter API key
     if (!env.OPENROUTER_API_KEY) {
@@ -45,7 +48,7 @@ export async function POST(request: NextRequest) {
       }
     );
 
-    return NextResponse.json(result);
+    return NextResponse.json(result, { headers: rl.headers });
   } catch (error) {
     const message = error instanceof Error ? error.message : String(error);
     console.error("Error in generateStylusCode:", message, error);
diff --git a/apps/web/src/app/api/v1/tools/indexer/route.ts b/apps/web/src/app/api/v1/tools/indexer/route.ts
index d250ffe..0023e2a 100644
--- a/apps/web/src/app/api/v1/tools/indexer/route.ts
+++ b/apps/web/src/app/api/v1/tools/indexer/route.ts
@@ -2,12 +2,15 @@ import { NextRequest, NextResponse } from "next/server";
 import { generateIndexer } from "@/lib/tools/generateIndexer";
 import { getCloudflareContext } from "@opennextjs/cloudflare";
 import { validateRequest } from "@/lib/auth/validateRequest";
+import { checkToolRateLimit } from "@/lib/rateLimit";
 
 export async function POST(request: NextRequest) {
   try {
     const { env } = getCloudflareContext();
     const auth = await validateRequest(request, env.DB, env.AUTH_SECRET);
     if (!auth.success) return auth.response;
+    const rl = await checkToolRateLimit(env.KV, auth);
+    if ("response" in rl) return rl.response;
 
     const body = (await request.json()) as {
       contractAddress?: string;
@@ -32,7 +35,7 @@ export async function POST(request: NextRequest) {
       network: body.network,
     });
 
-    return NextResponse.json(result);
+    return NextResponse.json(result, { headers: rl.headers });
   } catch (error) {
     const message = error instanceof Error ? error.message : String(error);
     console.error("Error in generateIndexer:", message, error);
diff --git a/apps/web/src/app/api/v1/tools/messaging/route.ts b/apps/web/src/app/api/v1/tools/messaging/route.ts
index d14d7e8..3f94ac6 100644
--- a/apps/web/src/app/api/v1/tools/messaging/route.ts
+++ b/apps/web/src/app/api/v1/tools/messaging/route.ts
@@ -2,12 +2,15 @@ import { NextRequest, NextResponse } from "next/server";
 import { generateMessagingCode } from "@/lib/tools/generateMessagingCode";
 import { getCloudflareContext } from "@opennextjs/cloudflare";
 import { validateRequest } from "@/lib/auth/validateRequest";
+import { checkToolRateLimit } from "@/lib/rateLimit";
 
 export async function POST(request: NextRequest) {
   try {
     const { env } = getCloudflareContext();
     const auth = await validateRequest(request, env.DB, env.AUTH_SECRET);
     if (!auth.success) return auth.response;
+    const rl = await checkToolRateLimit(env.KV, auth);
+    if ("response" in rl) return rl.response;
 
     const body = (await request.json()) as {
       messageType?: string;
@@ -26,7 +29,7 @@ export async function POST(request: NextRequest) {
       includeExample: body.includeExample,
     });
 
-    return NextResponse.json(result);
+    return NextResponse.json(result, { headers: rl.headers });
   } catch (error) {
     const message = error instanceof Error ? error.message : String(error);
     console.error("Error in generateMessagingCode:", message, error);
diff --git a/apps/web/src/app/api/v1/tools/oracle/route.ts b/apps/web/src/app/api/v1/tools/oracle/route.ts
index a88bb36..8055823 100644
--- a/apps/web/src/app/api/v1/tools/oracle/route.ts
+++ b/apps/web/src/app/api/v1/tools/oracle/route.ts
@@ -2,12 +2,15 @@ import { NextRequest, NextResponse } from "next/server";
 import { generateOracle } from "@/lib/tools/generateOracle";
 import { getCloudflareContext } from "@opennextjs/cloudflare";
 import { validateRequest } from "@/lib/auth/validateRequest";
+import { checkToolRateLimit } from "@/lib/rateLimit";
 
 export async function POST(request: NextRequest) {
   try {
     const { env } = getCloudflareContext();
     const auth = await validateRequest(request, env.DB, env.AUTH_SECRET);
     if (!auth.success) return auth.response;
+    const rl = await checkToolRateLimit(env.KV, auth);
+    if ("response" in rl) return rl.response;
 
     const body = (await request.json()) as {
       oracleType?: string;
@@ -28,7 +31,7 @@ export async function POST(request: NextRequest) {
       feeds: body.feeds,
     });
 
-    return NextResponse.json(result);
+    return NextResponse.json(result, { headers: rl.headers });
   } catch (error) {
     const message = error instanceof Error ? error.message : String(error);
     console.error("Error in generateOracle:", message, error);
diff --git a/apps/web/src/app/api/v1/tools/orbit-config/route.ts b/apps/web/src/app/api/v1/tools/orbit-config/route.ts
index f812c1b..e09360f 100644
--- a/apps/web/src/app/api/v1/tools/orbit-config/route.ts
+++ b/apps/web/src/app/api/v1/tools/orbit-config/route.ts
@@ -2,12 +2,15 @@ import { NextRequest, NextResponse } from "next/server";
 import { generateOrbitConfig } from "@/lib/tools/generateOrbitConfig";
 import { getCloudflareContext } from "@opennextjs/cloudflare";
 import { validateRequest } from "@/lib/auth/validateRequest";
+import { checkToolRateLimit } from "@/lib/rateLimit";
 
 export async function POST(request: NextRequest) {
   try {
     const { env } = getCloudflareContext();
     const auth = await validateRequest(request, env.DB, env.AUTH_SECRET);
     if (!auth.success) return auth.response;
+    const rl = await checkToolRateLimit(env.KV, auth);
+    if ("response" in rl) return rl.response;
 
     const body = (await request.json()) as {
       prompt?: string;
@@ -34,7 +37,7 @@ export async function POST(request: NextRequest) {
       parentChain: body.parentChain as Parameters<typeof generateOrbitConfig>[0]["parentChain"],
     });
 
-    return NextResponse.json(result);
+    return NextResponse.json(result, { headers: rl.headers });
   } catch (error) {
     const message = error instanceof Error ? error.message : String(error);
     console.error("Error in generateOrbitConfig:", message, error);
diff --git a/apps/web/src/app/api/v1/tools/orbit-deploy/route.ts b/apps/web/src/app/api/v1/tools/orbit-deploy/route.ts
index 3a6800b..ac5319c 100644
--- a/apps/web/src/app/api/v1/tools/orbit-deploy/route.ts
+++ b/apps/web/src/app/api/v1/tools/orbit-deploy/route.ts
@@ -2,12 +2,15 @@ import { NextRequest, NextResponse } from "next/server";
 import { generateOrbitDeployment } from "@/lib/tools/generateOrbitDeployment";
 import { getCloudflareContext } from "@opennextjs/cloudflare";
 import { validateRequest } from "@/lib/auth/validateRequest";
+import { checkToolRateLimit } from "@/lib/rateLimit";
 
 export async function POST(request: NextRequest) {
   try {
     const { env } = getCloudflareContext();
     const auth = await validateRequest(request, env.DB, env.AUTH_SECRET);
     if (!auth.success) return auth.response;
+    const rl = await checkToolRateLimit(env.KV, auth);
+    if ("response" in rl) return rl.response;
 
     const body = (await request.json()) as {
       prompt?: string;
@@ -42,7 +45,7 @@ export async function POST(request: NextRequest) {
       rollupAddress: body.rollupAddress,
     });
 
-    return NextResponse.json(result);
+    return NextResponse.json(result, { headers: rl.headers });
   } catch (error) {
     const message = error instanceof Error ? error.message : String(error);
     console.error("Error in generateOrbitDeployment:", message, error);
diff --git a/apps/web/src/app/api/v1/tools/orbit-validator/route.ts b/apps/web/src/app/api/v1/tools/orbit-validator/route.ts
index 0807671..49f6263 100644
--- a/apps/web/src/app/api/v1/tools/orbit-validator/route.ts
+++ b/apps/web/src/app/api/v1/tools/orbit-validator/route.ts
@@ -2,12 +2,15 @@ import { NextRequest, NextResponse } from "next/server";
 import { generateValidatorSetup } from "@/lib/tools/generateValidatorSetup";
 import { getCloudflareContext } from "@opennextjs/cloudflare";
 import { validateRequest } from "@/lib/auth/validateRequest";
+import { checkToolRateLimit } from "@/lib/rateLimit";
 
 export async function POST(request: NextRequest) {
   try {
     const { env } = getCloudflareContext();
     const auth = await validateRequest(request, env.DB, env.AUTH_SECRET);
     if (!auth.success) return auth.response;
+    const rl = await checkToolRateLimit(env.KV, auth);
+    if ("response" in rl) return rl.response;
 
     const body = (await request.json()) as {
       prompt?: string;
@@ -36,7 +39,7 @@ export async function POST(request: NextRequest) {
       parentChain: body.parentChain as Parameters<typeof generateValidatorSetup>[0]["parentChain"],
     });
 
-    return NextResponse.json(result);
+    return NextResponse.json(result, { headers: rl.headers });
   } catch (error) {
     const message = error instanceof Error ? error.message : String(error);
     console.error("Error in generateValidatorSetup:", message, error);
diff --git a/apps/web/src/app/api/v1/tools/orchestrate-orbit/route.ts b/apps/web/src/app/api/v1/tools/orchestrate-orbit/route.ts
index 9092879..08030cf 100644
--- a/apps/web/src/app/api/v1/tools/orchestrate-orbit/route.ts
+++ b/apps/web/src/app/api/v1/tools/orchestrate-orbit/route.ts
@@ -2,12 +2,15 @@ import { NextRequest, NextResponse } from "next/server";
 import { orchestrateOrbit } from "@/lib/tools/orchestrateOrbit";
 import { getCloudflareContext } from "@opennextjs/cloudflare";
 import { validateRequest } from "@/lib/auth/validateRequest";
+import { checkToolRateLimit } from "@/lib/rateLimit";
 
 export async function POST(request: NextRequest) {
   try {
     const { env } = getCloudflareContext();
     const auth = await validateRequest(request, env.DB, env.AUTH_SECRET);
     if (!auth.success) return auth.response;
+    const rl = await checkToolRateLimit(env.KV, auth);
+    if ("response" in rl) return rl.response;
 
     const body = (await request.json()) as {
       prompt?: string;
@@ -38,7 +41,7 @@ export async function POST(request: NextRequest) {
       batchPosters: body.batchPosters,
     });
 
-    return NextResponse.json(result);
+    return NextResponse.json(result, { headers: rl.headers });
   } catch (error) {
     const message = error instanceof Error ? error.message : String(error);
     console.error("Error in orchestrateOrbit:", message, error);
diff --git a/apps/web/src/app/api/v1/tools/orchestrate/route.ts b/apps/web/src/app/api/v1/tools/orchestrate/route.ts
index 78e2b3b..2c5f156 100644
--- a/apps/web/src/app/api/v1/tools/orchestrate/route.ts
+++ b/apps/web/src/app/api/v1/tools/orchestrate/route.ts
@@ -2,12 +2,15 @@ import { NextRequest, NextResponse } from "next/server";
 import { orchestrateDapp } from "@/lib/tools/orchestrateDapp";
 import { getCloudflareContext } from "@opennextjs/cloudflare";
 import { validateRequest } from "@/lib/auth/validateRequest";
+import { checkToolRateLimit } from "@/lib/rateLimit";
 
 export async function POST(request: NextRequest) {
   try {
     const { env } = getCloudflareContext();
     const auth = await validateRequest(request, env.DB, env.AUTH_SECRET);
     if (!auth.success) return auth.response;
+    const rl = await checkToolRateLimit(env.KV, auth);
+    if ("response" in rl) return rl.response;
 
     const body = (await request.json()) as {
       prompt?: string;
@@ -32,7 +35,7 @@ export async function POST(request: NextRequest) {
       contractAbi: body.contractAbi,
     });
 
-    return NextResponse.json(result);
+    return NextResponse.json(result, { headers: rl.headers });
   } catch (error) {
     const message = error instanceof Error ? error.message : String(error);
     console.error("Error in orchestrateDapp:", message, error);
diff --git a/apps/web/src/app/api/v1/tools/tests/route.ts b/apps/web/src/app/api/v1/tools/tests/route.ts
index 40611c0..0a7e099 100644
--- a/apps/web/src/app/api/v1/tools/tests/route.ts
+++ b/apps/web/src/app/api/v1/tools/tests/route.ts
@@ -2,6 +2,7 @@ import { NextRequest, NextResponse } from "next/server";
 import { generateTests, type GenerateTestsInput } from "@/lib/tools/generateTests";
 import { getCloudflareContext } from "@opennextjs/cloudflare";
 import { validateRequest } from "@/lib/auth/validateRequest";
+import { checkToolRateLimit } from "@/lib/rateLimit";
 
 
 export async function POST(request: NextRequest) {
@@ -12,6 +13,8 @@ export async function POST(request: NextRequest) {
     // Validate request (supports both user API keys and admin secret)
     const auth = await validateRequest(request, env.DB, env.AUTH_SECRET);
     if (!auth.success) return auth.response;
+    const rl = await checkToolRateLimit(env.KV, auth);
+    if ("response" in rl) return rl.response;
 
     // Check for OpenRouter API key
     if (!env.OPENROUTER_API_KEY) {
@@ -39,7 +42,7 @@ export async function POST(request: NextRequest) {
       coverageFocus: body.coverageFocus,
     });
 
-    return NextResponse.json(result);
+    return NextResponse.json(result, { headers: rl.headers });
   } catch (error) {
     const message = error instanceof Error ? error.message : String(error);
     console.error("Error in generateTests:", message, error);
diff --git a/apps/web/src/app/api/v1/tools/workflow/route.ts b/apps/web/src/app/api/v1/tools/workflow/route.ts
index bbeeefa..9086cdf 100644
--- a/apps/web/src/app/api/v1/tools/workflow/route.ts
+++ b/apps/web/src/app/api/v1/tools/workflow/route.ts
@@ -2,6 +2,7 @@ import { NextRequest, NextResponse } from "next/server";
 import { getWorkflow, type GetWorkflowInput } from "@/lib/tools/getWorkflow";
 import { getCloudflareContext } from "@opennextjs/cloudflare";
 import { validateRequest } from "@/lib/auth/validateRequest";
+import { checkToolRateLimit } from "@/lib/rateLimit";
 
 
 export async function POST(request: NextRequest) {
@@ -12,6 +13,8 @@ export async function POST(request: NextRequest) {
     // Validate request (supports both user API keys and admin secret)
     const auth = await validateRequest(request, env.DB, env.AUTH_SECRET);
     if (!auth.success) return auth.response;
+    const rl = await checkToolRateLimit(env.KV, auth);
+    if ("response" in rl) return rl.response;
 
     // Parse request body
     const body = (await request.json()) as GetWorkflowInput;
@@ -37,7 +40,7 @@ export async function POST(request: NextRequest) {
       includeTroubleshooting: body.includeTroubleshooting ?? true,
     });
 
-    return NextResponse.json(result);
+    return NextResponse.json(result, { headers: rl.headers });
   } catch (error) {
     const message = error instanceof Error ? error.message : String(error);
     console.error("Error in getWorkflow:", message, error);
diff --git a/apps/web/src/app/api/v1/usage/route.ts b/apps/web/src/app/api/v1/usage/route.ts
new file mode 100644
index 0000000..c2a2e9a
--- /dev/null
+++ b/apps/web/src/app/api/v1/usage/route.ts
@@ -0,0 +1,100 @@
+/**
+ * GET /api/v1/usage
+ *
+ * Returns the current rate-limit state for the authenticated key:
+ *   - tier
+ *   - chat counters (minute + day windows)
+ *   - tool counters (minute + day windows)
+ *   - recent activity summary (24h call count + last call time, from D1)
+ *
+ * This endpoint is itself rate-limit free (it does not increment any
+ * counters), so clients can poll it to plan around the limits without
+ * burning a slot. Auth is the same as every other v1 endpoint.
+ */
+
+import { NextRequest, NextResponse } from "next/server";
+import { getCloudflareContext } from "@opennextjs/cloudflare";
+import { validateRequest } from "@/lib/auth/validateRequest";
+import { peekUsage, subjectFor } from "@/lib/rateLimit";
+
+export async function GET(request: NextRequest) {
+  try {
+    const { env } = getCloudflareContext();
+
+    const auth = await validateRequest(request, env.DB, env.AUTH_SECRET);
+    if (!auth.success) return auth.response;
+
+    const subj = subjectFor(auth);
+    const tier = subj?.tier ?? (auth.isAdmin ? "unlimited" : "free");
+
+    // Admin requests have no subject — return tier limits with zero usage.
+    if (!subj) {
+      const placeholder = await peekUsage(env.KV, "admin", "chat", tier);
+      const placeholderTool = await peekUsage(env.KV, "admin", "tool", tier);
+      return NextResponse.json({
+        tier,
+        admin: true,
+        chat: { minute: placeholder.minute, day: placeholder.day },
+        tool: { minute: placeholderTool.minute, day: placeholderTool.day },
+        recent: null,
+      });
+    }
+
+    const [chatUsage, toolUsage] = await Promise.all([
+      peekUsage(env.KV, subj.subject, "chat", tier),
+      peekUsage(env.KV, subj.subject, "tool", tier),
+    ]);
+
+    // 24h activity summary from usage_logs (only for API-key auth — session
+    // auth doesn't have a key_id to filter on).
+    let recent: {
+      calls24h: number;
+      lastCallAt: string | null;
+      successRate: number | null;
+    } | null = null;
+    if (auth.keyId) {
+      const since = new Date(Date.now() - 24 * 60 * 60 * 1000).toISOString();
+      const row = await env.DB
+        .prepare(
+          `SELECT COUNT(*) AS total,
+                  SUM(success) AS ok,
+                  MAX(created_at) AS last
+           FROM usage_logs
+           WHERE api_key_id = ? AND created_at >= ?`,
+        )
+        .bind(auth.keyId, since)
+        .first<{ total: number; ok: number | null; last: string | null }>();
+      const total = row?.total ?? 0;
+      recent = {
+        calls24h: total,
+        lastCallAt: row?.last ?? null,
+        successRate: total > 0 ? (row?.ok ?? 0) / total : null,
+      };
+    }
+
+    return NextResponse.json({
+      tier,
+      admin: false,
+      chat: { minute: chatUsage.minute, day: chatUsage.day },
+      tool: { minute: toolUsage.minute, day: toolUsage.day },
+      recent,
+    });
+  } catch (e) {
+    console.error("usage endpoint failed:", e);
+    return NextResponse.json(
+      { error: (e as Error).message || String(e) },
+      { status: 500 },
+    );
+  }
+}
+
+export async function OPTIONS() {
+  return new NextResponse(null, {
+    status: 204,
+    headers: {
+      "Access-Control-Allow-Origin": "*",
+      "Access-Control-Allow-Methods": "GET, OPTIONS",
+      "Access-Control-Allow-Headers": "Content-Type, Authorization",
+    },
+  });
+}
diff --git a/apps/web/src/app/dashboard/admin/page.tsx b/apps/web/src/app/dashboard/admin/page.tsx
index 6355d3d..96d85b8 100644
--- a/apps/web/src/app/dashboard/admin/page.tsx
+++ b/apps/web/src/app/dashboard/admin/page.tsx
@@ -44,6 +44,9 @@ export default function AdminPage() {
   const [adminSecret, setAdminSecret] = useState("");
   const [isAuthed, setIsAuthed] = useState(false);
 
+  // View tabs
+  const [view, setView] = useState<"sources" | "rateLimits">("sources");
+
   // Filters
   const [categoryFilter, setCategoryFilter] = useState<string>("");
   const [statusFilter, setStatusFilter] = useState<string>("");
@@ -196,6 +199,34 @@ export default function AdminPage() {
 
   return (
     <div className="space-y-6">
+      {/* Tabs */}
+      <div className="flex gap-2 border-b border-gray-200">
+        <button
+          onClick={() => setView("sources")}
+          className={`px-4 py-2 text-sm font-medium border-b-2 -mb-px ${
+            view === "sources"
+              ? "border-blue-600 text-blue-600"
+              : "border-transparent text-gray-500 hover:text-gray-700"
+          }`}
+        >
+          RAG Sources
+        </button>
+        <button
+          onClick={() => setView("rateLimits")}
+          className={`px-4 py-2 text-sm font-medium border-b-2 -mb-px ${
+            view === "rateLimits"
+              ? "border-blue-600 text-blue-600"
+              : "border-transparent text-gray-500 hover:text-gray-700"
+          }`}
+        >
+          Rate Limits
+        </button>
+      </div>
+
+      {view === "rateLimits" ? (
+        <RateLimitsPanel adminSecret={adminSecret} />
+      ) : (
+      <>
       {/* Header */}
       <div className="flex justify-between items-start">
         <div>
@@ -494,6 +525,193 @@ export default function AdminPage() {
           )}
         </div>
       )}
+      </>
+      )}
+    </div>
+  );
+}
+
+interface RateLimitKey {
+  id: string;
+  userId: string;
+  userEmail: string | null;
+  keyPrefix: string;
+  name: string | null;
+  tier: string;
+  limits: { perMinute: number; perDay: number };
+  createdAt: string;
+  lastUsedAt: string | null;
+  revokedAt: string | null;
+  calls24h: number;
+}
+
+function RateLimitsPanel({ adminSecret }: { adminSecret: string }) {
+  const [keys, setKeys] = useState<RateLimitKey[]>([]);
+  const [tiers, setTiers] = useState<string[]>(["free", "pro", "unlimited"]);
+  const [loading, setLoading] = useState(true);
+  const [error, setError] = useState<string | null>(null);
+  const [savingId, setSavingId] = useState<string | null>(null);
+  const [filter, setFilter] = useState("");
+  const [tierFilter, setTierFilter] = useState<string>("");
+
+  const load = useCallback(async () => {
+    if (!adminSecret) return;
+    setLoading(true);
+    setError(null);
+    try {
+      const res = await fetch("/api/admin/rate-limits", {
+        headers: { "X-Admin-Secret": adminSecret },
+      });
+      if (!res.ok) throw new Error(`HTTP ${res.status}`);
+      const data = (await res.json()) as { tiers: string[]; keys: RateLimitKey[] };
+      setKeys(data.keys);
+      setTiers(data.tiers);
+    } catch (e) {
+      setError(`Failed to load: ${e}`);
+    } finally {
+      setLoading(false);
+    }
+  }, [adminSecret]);
+
+  useEffect(() => {
+    load();
+  }, [load]);
+
+  const updateTier = async (keyId: string, tier: string) => {
+    setSavingId(keyId);
+    try {
+      const res = await fetch("/api/admin/rate-limits", {
+        method: "PATCH",
+        headers: {
+          "Content-Type": "application/json",
+          "X-Admin-Secret": adminSecret,
+        },
+        body: JSON.stringify({ keyId, tier }),
+      });
+      if (!res.ok) throw new Error(`HTTP ${res.status}`);
+      const data = (await res.json()) as { limits: { perMinute: number; perDay: number } };
+      setKeys((prev) =>
+        prev.map((k) => (k.id === keyId ? { ...k, tier, limits: data.limits } : k)),
+      );
+    } catch (e) {
+      setError(`Update failed: ${e}`);
+    } finally {
+      setSavingId(null);
+    }
+  };
+
+  const filtered = keys.filter((k) => {
+    if (tierFilter && k.tier !== tierFilter) return false;
+    if (!filter) return true;
+    const f = filter.toLowerCase();
+    return (
+      (k.userEmail ?? "").toLowerCase().includes(f) ||
+      (k.name ?? "").toLowerCase().includes(f) ||
+      k.keyPrefix.toLowerCase().includes(f) ||
+      k.id.toLowerCase().includes(f)
+    );
+  });
+
+  return (
+    <div className="space-y-4">
+      <div className="flex items-start justify-between gap-4">
+        <div>
+          <h1 className="text-2xl font-bold text-gray-900">Rate Limit Tiers</h1>
+          <p className="text-gray-600 mt-1 text-sm">
+            Per-key two-window quotas (burst per UTC minute + total per UTC day), applied separately to chat and tool calls. Tiers:{" "}
+            <span className="font-mono">free</span> = 100/min, 1000/day;{" "}
+            <span className="font-mono">pro</span> = 500/min, 10K/day;{" "}
+            <span className="font-mono">unlimited</span> = 10K/min, 1M/day.
+          </p>
+        </div>
+        <button
+          onClick={load}
+          className="text-sm px-3 py-1.5 border border-gray-200 rounded-lg hover:bg-gray-50"
+        >
+          Refresh
+        </button>
+      </div>
+
+      <div className="flex gap-2">
+        <input
+          value={filter}
+          onChange={(e) => setFilter(e.target.value)}
+          placeholder="Filter by email, name, prefix, or id..."
+          className="flex-1 px-3 py-2 text-sm border border-gray-200 rounded-lg"
+        />
+        <select
+          value={tierFilter}
+          onChange={(e) => setTierFilter(e.target.value)}
+          className="px-3 py-2 text-sm border border-gray-200 rounded-lg bg-white"
+        >
+          <option value="">All tiers</option>
+          {tiers.map((t) => (
+            <option key={t} value={t}>{t}</option>
+          ))}
+        </select>
+      </div>
+
+      {error && <div className="bg-red-50 border border-red-100 text-red-700 px-4 py-2 rounded-lg text-sm">{error}</div>}
+
+      {loading ? (
+        <p className="text-gray-500 text-sm">Loading…</p>
+      ) : (
+        <div className="bg-white rounded-xl border border-gray-200 overflow-hidden">
+          <table className="w-full text-sm">
+            <thead className="bg-gray-50 text-gray-600 text-xs uppercase">
+              <tr>
+                <th className="px-4 py-2 text-left">User / Key</th>
+                <th className="px-4 py-2 text-left">Prefix</th>
+                <th className="px-4 py-2 text-left">Tier</th>
+                <th className="px-4 py-2 text-right">24h Calls</th>
+                <th className="px-4 py-2 text-left">Last Used</th>
+                <th className="px-4 py-2 text-left">Status</th>
+              </tr>
+            </thead>
+            <tbody>
+              {filtered.map((k) => (
+                <tr key={k.id} className="border-t border-gray-100">
+                  <td className="px-4 py-2">
+                    <div className="font-medium text-gray-900">{k.userEmail || k.userId}</div>
+                    <div className="text-xs text-gray-500">{k.name || "(unnamed key)"}</div>
+                  </td>
+                  <td className="px-4 py-2 font-mono text-xs">{k.keyPrefix}…</td>
+                  <td className="px-4 py-2">
+                    <select
+                      value={k.tier}
+                      onChange={(e) => updateTier(k.id, e.target.value)}
+                      disabled={savingId === k.id || !!k.revokedAt}
+                      className="text-xs border border-gray-200 rounded px-2 py-1 bg-white disabled:opacity-50"
+                    >
+                      {tiers.map((t) => (
+                        <option key={t} value={t}>{t}</option>
+                      ))}
+                    </select>
+                  </td>
+                  <td className="px-4 py-2 text-right font-mono text-xs">{k.calls24h}</td>
+                  <td className="px-4 py-2 text-xs text-gray-500">
+                    {k.lastUsedAt ? new Date(k.lastUsedAt).toLocaleString() : "—"}
+                  </td>
+                  <td className="px-4 py-2">
+                    {k.revokedAt ? (
+                      <span className="text-xs text-red-600">revoked</span>
+                    ) : (
+                      <span className="text-xs text-green-600">active</span>
+                    )}
+                  </td>
+                </tr>
+              ))}
+              {filtered.length === 0 && (
+                <tr>
+                  <td colSpan={6} className="px-4 py-6 text-center text-gray-400 text-sm">
+                    No keys match.
+                  </td>
+                </tr>
+              )}
+            </tbody>
+          </table>
+        </div>
+      )}
     </div>
   );
 }
diff --git a/apps/web/src/app/dashboard/keys/page.tsx b/apps/web/src/app/dashboard/keys/page.tsx
index 3c20ab5..879dd5c 100644
--- a/apps/web/src/app/dashboard/keys/page.tsx
+++ b/apps/web/src/app/dashboard/keys/page.tsx
@@ -1,6 +1,6 @@
 "use client";
 
-import { useState, useEffect } from "react";
+import { useState, useEffect, useCallback } from "react";
 
 interface ApiKey {
   id: string;
@@ -8,10 +8,27 @@ interface ApiKey {
   name: string | null;
   createdAt: string;
   lastUsedAt: string | null;
+  rateLimitTier?: string;
+}
+
+interface WindowState {
+  limit: number;
+  remaining: number;
+  used: number;
+  resetSeconds: number;
+}
+
+interface KeyUsage {
+  tier: string;
+  limits: { perMinute: number; perDay: number };
+  chat: { minute: WindowState; day: WindowState };
+  tool: { minute: WindowState; day: WindowState };
+  recent: { calls24h: number; lastCallAt: string | null; successRate: number | null };
 }
 
 export default function ApiKeysPage() {
   const [keys, setKeys] = useState<ApiKey[]>([]);
+  const [usage, setUsage] = useState<Record<string, KeyUsage>>({});
   const [loading, setLoading] = useState(true);
   const [creating, setCreating] = useState(false);
   const [newKeyName, setNewKeyName] = useState("");
@@ -19,11 +36,7 @@ export default function ApiKeysPage() {
   const [error, setError] = useState<string | null>(null);
   const [copied, setCopied] = useState(false);
 
-  useEffect(() => {
-    fetchKeys();
-  }, []);
-
-  async function fetchKeys() {
+  const fetchKeys = useCallback(async () => {
     try {
       const res = await fetch("/api/keys");
       const data = (await res.json()) as { keys?: ApiKey[] };
@@ -33,7 +46,25 @@ export default function ApiKeysPage() {
     } finally {
       setLoading(false);
     }
-  }
+  }, []);
+
+  const fetchUsage = useCallback(async () => {
+    try {
+      const res = await fetch("/api/keys/usage");
+      if (!res.ok) return;
+      const data = (await res.json()) as { usage: Record<string, KeyUsage> };
+      setUsage(data.usage || {});
+    } catch {
+      // Non-fatal — widget just won't render until next poll succeeds.
+    }
+  }, []);
+
+  useEffect(() => {
+    fetchKeys();
+    fetchUsage();
+    const id = setInterval(fetchUsage, 15_000);
+    return () => clearInterval(id);
+  }, [fetchKeys, fetchUsage]);
 
   async function createKey() {
     setCreating(true);
@@ -52,6 +83,7 @@ export default function ApiKeysPage() {
       setNewKey(data.key);
       setNewKeyName("");
       fetchKeys();
+      fetchUsage();
     } catch {
       setError("Failed to create API key");
     } finally {
@@ -66,6 +98,7 @@ export default function ApiKeysPage() {
       const res = await fetch(`/api/keys/${id}`, { method: "DELETE" });
       if (!res.ok) throw new Error("Failed to revoke key");
       fetchKeys();
+      fetchUsage();
     } catch {
       setError("Failed to revoke API key");
     }
@@ -258,11 +291,26 @@ export default function ApiKeysPage() {
                     {key.name && (
                       <span className="text-sm font-medium text-gray-700">{key.name}</span>
                     )}
+                    {key.rateLimitTier && (
+                      <span
+                        className={`text-xs font-medium px-2 py-0.5 rounded-full ${
+                          key.rateLimitTier === "unlimited"
+                            ? "bg-purple-50 text-purple-700"
+                            : key.rateLimitTier === "pro"
+                            ? "bg-blue-50 text-blue-700"
+                            : "bg-gray-100 text-gray-600"
+                        }`}
+                        title="Daily rate-limit tier — contact support to upgrade"
+                      >
+                        {key.rateLimitTier}
+                      </span>
+                    )}
                   </div>
                   <div className="text-sm text-gray-500 mt-1.5 flex flex-wrap gap-x-3 gap-y-1">
                     <span>Created: {formatDate(key.createdAt)}</span>
                     <span>Last used: {formatDate(key.lastUsedAt)}</span>
                   </div>
+                  {usage[key.id] && <UsageWidget u={usage[key.id]} />}
                 </div>
                 <button
                   onClick={() => revokeKey(key.id)}
@@ -278,3 +326,50 @@ export default function ApiKeysPage() {
     </div>
   );
 }
+
+function UsageWidget({ u }: { u: KeyUsage }) {
+  return (
+    <div className="mt-3 grid grid-cols-1 sm:grid-cols-2 gap-2 text-xs">
+      <UsageBars label="Chat" cat={u.chat} />
+      <UsageBars label="Tool" cat={u.tool} />
+      <div className="sm:col-span-2 text-gray-500 mt-1">
+        24h: {u.recent.calls24h} call{u.recent.calls24h === 1 ? "" : "s"}
+        {u.recent.successRate !== null && (
+          <> · {Math.round(u.recent.successRate * 100)}% success</>
+        )}
+      </div>
+    </div>
+  );
+}
+
+function UsageBars({
+  label,
+  cat,
+}: {
+  label: string;
+  cat: { minute: WindowState; day: WindowState };
+}) {
+  return (
+    <div className="border border-gray-100 rounded-lg p-2 bg-gray-50">
+      <div className="font-medium text-gray-700 mb-1">{label}</div>
+      <Bar window="min" used={cat.minute.used} limit={cat.minute.limit} />
+      <Bar window="day" used={cat.day.used} limit={cat.day.limit} />
+    </div>
+  );
+}
+
+function Bar({ window: w, used, limit }: { window: "min" | "day"; used: number; limit: number }) {
+  const pct = limit > 0 ? Math.min(100, (used / limit) * 100) : 0;
+  const color = pct >= 90 ? "bg-red-500" : pct >= 70 ? "bg-yellow-500" : "bg-green-500";
+  return (
+    <div className="flex items-center gap-2 mt-0.5">
+      <span className="w-8 text-gray-400">{w === "min" ? "/min" : "/day"}</span>
+      <div className="flex-1 h-1.5 bg-gray-200 rounded-full overflow-hidden">
+        <div className={`h-full ${color}`} style={{ width: `${pct}%` }} />
+      </div>
+      <span className="w-16 text-right tabular-nums text-gray-600">
+        {used} / {limit}
+      </span>
+    </div>
+  );
+}
diff --git a/apps/web/src/app/mcp/route.ts b/apps/web/src/app/mcp/route.ts
index ae816f7..4d2829e 100644
--- a/apps/web/src/app/mcp/route.ts
+++ b/apps/web/src/app/mcp/route.ts
@@ -8,6 +8,7 @@
 import { NextRequest, NextResponse } from "next/server";
 import { getCloudflareContext } from "@opennextjs/cloudflare";
 import { runTool, type ToolEnv, type ToolResult } from "@/lib/tools/dispatch";
+import { enforceRateLimit, rateLimitHeaders } from "@/lib/rateLimit";
 
 // MCP Protocol Types
 interface JsonRpcRequest {
@@ -633,7 +634,7 @@ const SERVER_INFO = {
 async function validateApiKey(
   request: NextRequest,
   db: D1Database
-): Promise<{ valid: boolean; keyId?: string; userId?: string; error?: string }> {
+): Promise<{ valid: boolean; keyId?: string; userId?: string; tier?: string; error?: string }> {
   const authHeader = request.headers.get("Authorization");
   if (!authHeader?.startsWith("Bearer ")) {
     return { valid: false, error: "Missing or invalid Authorization header" };
@@ -654,10 +655,10 @@ async function validateApiKey(
   // Look up the key
   const keyRecord = await db
     .prepare(
-      `SELECT id, user_id FROM api_keys WHERE key_hash = ? AND revoked_at IS NULL`
+      `SELECT id, user_id, rate_limit_tier FROM api_keys WHERE key_hash = ? AND revoked_at IS NULL`
     )
     .bind(keyHash)
-    .first<{ id: string; user_id: string }>();
+    .first<{ id: string; user_id: string; rate_limit_tier: string | null }>();
 
   if (!keyRecord) {
     return { valid: false, error: "Invalid or revoked API key" };
@@ -669,7 +670,12 @@ async function validateApiKey(
     .bind(new Date().toISOString(), keyRecord.id)
     .run();
 
-  return { valid: true, keyId: keyRecord.id, userId: keyRecord.user_id };
+  return {
+    valid: true,
+    keyId: keyRecord.id,
+    userId: keyRecord.user_id,
+    tier: keyRecord.rate_limit_tier ?? "free",
+  };
 }
 
 // Log usage to database
@@ -720,9 +726,11 @@ async function processRequest(
     VECTORIZE: VectorizeIndex;
     AI: Ai;
     DB: D1Database;
+    KV: KVNamespace;
     OPENROUTER_API_KEY?: string;
   },
-  apiKeyId?: string
+  apiKeyId?: string,
+  tier: string = "free"
 ): Promise<JsonRpcResponse> {
   try {
     switch (request.method) {
@@ -774,6 +782,30 @@ async function processRequest(
           };
         }
 
+        // Per-call rate limit (skip for unauthenticated paths — those will fail on auth before reaching here).
+        if (apiKeyId) {
+          const decision = await enforceRateLimit(env.KV, `key:${apiKeyId}`, "tool", tier);
+          if (!decision.allowed) {
+            const denyWindow = decision.exceededWindow === "minute" ? decision.minute : decision.day;
+            const label = decision.exceededWindow === "minute" ? "per-minute" : "per-day";
+            return {
+              jsonrpc: "2.0",
+              id: request.id,
+              error: {
+                code: -32002,
+                message: `Tool rate limit exceeded (${label}: ${denyWindow.limit} on tier '${decision.tier}'). Try again in ${denyWindow.resetSeconds}s.`,
+                data: {
+                  window: decision.exceededWindow,
+                  limit: denyWindow.limit,
+                  used: denyWindow.used,
+                  resetSeconds: denyWindow.resetSeconds,
+                  tier: decision.tier,
+                },
+              },
+            };
+          }
+        }
+
         const startTime = Date.now();
         let toolResult: ToolResult;
 
@@ -881,15 +913,17 @@ export async function POST(request: NextRequest) {
       VECTORIZE: env.VECTORIZE,
       AI: env.AI,
       DB: env.DB,
+      KV: env.KV,
       OPENROUTER_API_KEY: env.OPENROUTER_API_KEY,
     };
+    const tier = authResult.tier ?? "free";
 
     // Handle single request or batch
     if (Array.isArray(body)) {
       // Batch request
       const responses = await Promise.all(
         body.map((req: JsonRpcRequest) =>
-          processRequest(req, envObj, authResult.keyId)
+          processRequest(req, envObj, authResult.keyId, tier)
         )
       );
       return NextResponse.json(responses);
@@ -898,7 +932,8 @@ export async function POST(request: NextRequest) {
       const response = await processRequest(
         body as JsonRpcRequest,
         envObj,
-        authResult.keyId
+        authResult.keyId,
+        tier
       );
       return NextResponse.json(response);
     }
diff --git a/apps/web/src/lib/apiKeys.ts b/apps/web/src/lib/apiKeys.ts
index 8accaa9..456c6c7 100644
--- a/apps/web/src/lib/apiKeys.ts
+++ b/apps/web/src/lib/apiKeys.ts
@@ -13,6 +13,7 @@ export interface ApiKey {
   createdAt: string;
   lastUsedAt: string | null;
   revokedAt: string | null;
+  rateLimitTier?: string;
 }
 
 export interface ApiKeyWithSecret extends ApiKey {
@@ -98,7 +99,8 @@ export async function listApiKeys(
   const result = await db
     .prepare(
       `SELECT id, user_id as userId, key_prefix as keyPrefix, name,
-              created_at as createdAt, last_used_at as lastUsedAt, revoked_at as revokedAt
+              created_at as createdAt, last_used_at as lastUsedAt, revoked_at as revokedAt,
+              rate_limit_tier as rateLimitTier
        FROM api_keys
        WHERE user_id = ? AND revoked_at IS NULL
        ORDER BY created_at DESC`
diff --git a/apps/web/src/lib/auth/validateRequest.ts b/apps/web/src/lib/auth/validateRequest.ts
index 3e654b2..483a15b 100644
--- a/apps/web/src/lib/auth/validateRequest.ts
+++ b/apps/web/src/lib/auth/validateRequest.ts
@@ -16,6 +16,8 @@ export interface AuthResult {
   userId: string | null;
   keyId: string | null;
   isAdmin: boolean;
+  /** Rate limit tier; only set for API-key auth. Session auth uses 'free' implicitly. */
+  rateLimitTier?: string;
 }
 
 export interface AuthError {
@@ -58,11 +60,11 @@ export async function validateRequest(
 
       const result = await db
         .prepare(
-          `SELECT id, user_id as userId FROM api_keys
+          `SELECT id, user_id as userId, rate_limit_tier as rateLimitTier FROM api_keys
            WHERE key_hash = ? AND revoked_at IS NULL`
         )
         .bind(keyHash)
-        .first<{ id: string; userId: string }>();
+        .first<{ id: string; userId: string; rateLimitTier: string | null }>();
 
       if (result) {
         // Update last used timestamp
@@ -76,6 +78,7 @@ export async function validateRequest(
           userId: result.userId,
           keyId: result.id,
           isAdmin: false,
+          rateLimitTier: result.rateLimitTier ?? "free",
         };
       }
 
diff --git a/apps/web/src/lib/rateLimit.ts b/apps/web/src/lib/rateLimit.ts
new file mode 100644
index 0000000..04c6cac
--- /dev/null
+++ b/apps/web/src/lib/rateLimit.ts
@@ -0,0 +1,246 @@
+/**
+ * Two-window rate limiter: per-minute burst + per-day total.
+ *
+ * Both windows must allow a request; whichever is exhausted first triggers
+ * the 429. Counters are KV-backed, keyed per subject (API key id, or user
+ * id for session auth) and per category (chat or tool). Admin Bearer auth
+ * bypasses entirely.
+ *
+ *   minute counter:  rl:{subject}:{category}:m:{YYYY-MM-DDTHH:MM}  TTL 120s
+ *   daily counter:   rl:{subject}:{category}:d:{YYYY-MM-DD}        TTL 48h
+ *
+ * KV is eventually consistent across regions, so a small overshoot is
+ * possible under bursty traffic. That's acceptable for a quota.
+ */
+
+export type RateLimitCategory = "chat" | "tool";
+export type RateLimitTier = "free" | "pro" | "unlimited";
+
+interface TierLimits {
+  /** Burst limit per UTC minute. */
+  perMinute: number;
+  /** Total per UTC day. */
+  perDay: number;
+}
+
+/**
+ * Per-tier limits. Applied identically to both `chat` and `tool` categories
+ * (each category maintains its own counters). Tuned to allow normal API usage
+ * while putting a worst-case daily cost ceiling on each free key.
+ */
+const TIER_LIMITS: Record<RateLimitTier, TierLimits> = {
+  free: { perMinute: 100, perDay: 1000 },
+  pro: { perMinute: 500, perDay: 10000 },
+  unlimited: { perMinute: 10000, perDay: 1000000 },
+};
+
+export function getLimitsForTier(tier: string): TierLimits {
+  return TIER_LIMITS[(tier as RateLimitTier) in TIER_LIMITS ? (tier as RateLimitTier) : "free"];
+}
+
+export interface RateLimitDecision {
+  allowed: boolean;
+  /** Which window denied the request, if any. */
+  exceededWindow?: "minute" | "day";
+  category: RateLimitCategory;
+  tier: string;
+  minute: { limit: number; remaining: number; used: number; resetSeconds: number };
+  day: { limit: number; remaining: number; used: number; resetSeconds: number };
+}
+
+function minuteKey(): string {
+  return new Date().toISOString().slice(0, 16); // "YYYY-MM-DDTHH:MM"
+}
+
+function dayKey(): string {
+  return new Date().toISOString().slice(0, 10);
+}
+
+function secondsUntilNextUtcMinute(): number {
+  const now = new Date();
+  const next = new Date(now);
+  next.setUTCSeconds(0, 0);
+  next.setUTCMinutes(next.getUTCMinutes() + 1);
+  return Math.max(1, Math.floor((next.getTime() - now.getTime()) / 1000));
+}
+
+function secondsUntilNextUtcMidnight(): number {
+  const now = new Date();
+  const next = new Date(Date.UTC(now.getUTCFullYear(), now.getUTCMonth(), now.getUTCDate() + 1));
+  return Math.max(1, Math.floor((next.getTime() - now.getTime()) / 1000));
+}
+
+/**
+ * Check both windows, deny if either is over the limit, otherwise increment
+ * both. On deny, neither counter is incremented (so a flood of denied requests
+ * doesn't push either number arbitrarily high).
+ */
+export async function enforceRateLimit(
+  kv: KVNamespace,
+  subject: string,
+  category: RateLimitCategory,
+  tier: string,
+): Promise<RateLimitDecision> {
+  const { perMinute, perDay } = getLimitsForTier(tier);
+  const mKey = `rl:${subject}:${category}:m:${minuteKey()}`;
+  const dKey = `rl:${subject}:${category}:d:${dayKey()}`;
+  const minResetSec = secondsUntilNextUtcMinute();
+  const dayResetSec = secondsUntilNextUtcMidnight();
+
+  const [mRaw, dRaw] = await Promise.all([kv.get(mKey), kv.get(dKey)]);
+  const mUsed = mRaw ? parseInt(mRaw, 10) || 0 : 0;
+  const dUsed = dRaw ? parseInt(dRaw, 10) || 0 : 0;
+
+  const overMinute = mUsed >= perMinute;
+  const overDay = dUsed >= perDay;
+
+  if (overMinute || overDay) {
+    return {
+      allowed: false,
+      exceededWindow: overMinute ? "minute" : "day",
+      category,
+      tier,
+      minute: { limit: perMinute, remaining: Math.max(0, perMinute - mUsed), used: mUsed, resetSeconds: minResetSec },
+      day: { limit: perDay, remaining: Math.max(0, perDay - dUsed), used: dUsed, resetSeconds: dayResetSec },
+    };
+  }
+
+  // Increment both (best-effort parallel; KV is eventually consistent, small overshoot is acceptable).
+  await Promise.all([
+    kv.put(mKey, String(mUsed + 1), { expirationTtl: 120 }),
+    kv.put(dKey, String(dUsed + 1), { expirationTtl: 60 * 60 * 48 }),
+  ]);
+
+  return {
+    allowed: true,
+    category,
+    tier,
+    minute: { limit: perMinute, remaining: perMinute - (mUsed + 1), used: mUsed + 1, resetSeconds: minResetSec },
+    day: { limit: perDay, remaining: perDay - (dUsed + 1), used: dUsed + 1, resetSeconds: dayResetSec },
+  };
+}
+
+/**
+ * Standard rate-limit response headers. Reports both windows so clients can
+ * see which one is closer to exhaustion. The single-valued headers
+ * (X-RateLimit-Limit / -Remaining / -Reset) reflect the *bottleneck* —
+ * whichever window has fewer remaining calls — for clients that only check
+ * the canonical names. Retry-After on a 429 uses the bottleneck window.
+ */
+export function rateLimitHeaders(d: RateLimitDecision): Record<string, string> {
+  const bottleneck = d.minute.remaining <= d.day.remaining ? d.minute : d.day;
+  const headers: Record<string, string> = {
+    "X-RateLimit-Limit": String(bottleneck.limit),
+    "X-RateLimit-Remaining": String(bottleneck.remaining),
+    "X-RateLimit-Reset": String(bottleneck.resetSeconds),
+    "X-RateLimit-Tier": d.tier,
+    "X-RateLimit-Limit-Minute": String(d.minute.limit),
+    "X-RateLimit-Remaining-Minute": String(d.minute.remaining),
+    "X-RateLimit-Reset-Minute": String(d.minute.resetSeconds),
+    "X-RateLimit-Limit-Day": String(d.day.limit),
+    "X-RateLimit-Remaining-Day": String(d.day.remaining),
+    "X-RateLimit-Reset-Day": String(d.day.resetSeconds),
+  };
+  if (!d.allowed) {
+    const denyWindow = d.exceededWindow === "minute" ? d.minute : d.day;
+    headers["Retry-After"] = String(denyWindow.resetSeconds);
+  }
+  return headers;
+}
+
+/**
+ * Rate-limit "subject" — what we count against. API keys count per key (so
+ * a user can have a high-tier key and a free key separately). Session-auth
+ * requests count per user. Admin is null (skip enforcement).
+ */
+export function subjectFor(auth: { keyId: string | null; userId: string | null; isAdmin: boolean }):
+  | { subject: string; tier: string }
+  | null {
+  if (auth.isAdmin) return null;
+  if (auth.keyId) {
+    const tier = (auth as { rateLimitTier?: string }).rateLimitTier ?? "free";
+    return { subject: `key:${auth.keyId}`, tier };
+  }
+  if (auth.userId) {
+    // Session auth — always free tier, scoped per user.
+    return { subject: `user:${auth.userId}`, tier: "free" };
+  }
+  return null;
+}
+
+/**
+ * Read-only snapshot of current usage for `subject` in `category`. Does NOT
+ * increment counters — used by GET /api/v1/usage so callers can plan around
+ * the limits without burning a slot.
+ */
+export async function peekUsage(
+  kv: KVNamespace,
+  subject: string,
+  category: RateLimitCategory,
+  tier: string,
+): Promise<RateLimitDecision> {
+  const { perMinute, perDay } = getLimitsForTier(tier);
+  const mKey = `rl:${subject}:${category}:m:${minuteKey()}`;
+  const dKey = `rl:${subject}:${category}:d:${dayKey()}`;
+
+  const [mRaw, dRaw] = await Promise.all([kv.get(mKey), kv.get(dKey)]);
+  const mUsed = mRaw ? parseInt(mRaw, 10) || 0 : 0;
+  const dUsed = dRaw ? parseInt(dRaw, 10) || 0 : 0;
+
+  const overMinute = mUsed >= perMinute;
+  const overDay = dUsed >= perDay;
+  const allowed = !(overMinute || overDay);
+
+  return {
+    allowed,
+    exceededWindow: allowed ? undefined : overMinute ? "minute" : "day",
+    category,
+    tier,
+    minute: {
+      limit: perMinute,
+      remaining: Math.max(0, perMinute - mUsed),
+      used: mUsed,
+      resetSeconds: secondsUntilNextUtcMinute(),
+    },
+    day: {
+      limit: perDay,
+      remaining: Math.max(0, perDay - dUsed),
+      used: dUsed,
+      resetSeconds: secondsUntilNextUtcMidnight(),
+    },
+  };
+}
+
+/**
+ * One-shot helper for `/api/v1/tools/*` routes. Returns either a 429 response
+ * (when over either limit) or a `headers` map to attach to the success response.
+ */
+export async function checkToolRateLimit(
+  kv: KVNamespace,
+  auth: { keyId: string | null; userId: string | null; isAdmin: boolean; rateLimitTier?: string },
+): Promise<{ headers: Record<string, string> } | { response: Response }> {
+  const subj = subjectFor(auth);
+  if (!subj) return { headers: {} };
+  const decision = await enforceRateLimit(kv, subj.subject, "tool", subj.tier);
+  const headers = rateLimitHeaders(decision);
+  if (!decision.allowed) {
+    const denyWindow = decision.exceededWindow === "minute" ? decision.minute : decision.day;
+    const windowLabel = decision.exceededWindow === "minute" ? "per-minute" : "per-day";
+    const body = {
+      error: `Tool rate limit exceeded (${windowLabel}: ${denyWindow.limit} on tier '${decision.tier}'). Try again in ${denyWindow.resetSeconds}s.`,
+      type: "rate_limit_exceeded",
+      window: decision.exceededWindow,
+      limit: denyWindow.limit,
+      used: denyWindow.used,
+      resetSeconds: denyWindow.resetSeconds,
+      tier: decision.tier,
+    };
+    return {
+      response: new Response(JSON.stringify(body), {
+        status: 429,
+        headers: { "Content-Type": "application/json", ...headers },
+      }),
+    };
+  }
+  return { headers };
+}
diff --git a/docs/api/chat-completions.md b/docs/api/chat-completions.md
index 2000cbc..8d4139d 100644
--- a/docs/api/chat-completions.md
+++ b/docs/api/chat-completions.md
@@ -129,15 +129,67 @@ OpenAI shape:
 |---|---|---|
 | 400 | `invalid_request_error` | Body missing `messages` or invalid JSON. |
 | 401 | `invalid_api_key` | Missing or invalid `Authorization` header. |
-| 429 | `rate_limit_exceeded` | OpenRouter upstream rate limit. |
+| 429 | `rate_limit_exceeded` | Daily quota for the key's tier exhausted. Response carries `Retry-After` and `X-RateLimit-*` headers. |
 | 500 | `internal_error` | Server misconfiguration (missing OpenRouter key) or pre-stream failure. |
 | 502 | `upstream_error` | OpenRouter returned a non-retryable 4xx/5xx. |
 
 Mid-stream errors are surfaced as a `data:` frame, not an HTTP status change.
 
-## Limits
+## Rate limits
 
-| Limit | Value |
+Two windows, both enforced per key per category (chat and tool counters are independent). The minute window catches abuse bursts; the day window caps total cost. Whichever window is exhausted first triggers a 429 — clients should respect `Retry-After`.
+
+| Tier | Per-minute (each category) | Per-day (each category) |
+|---|---|---|
+| `free` (default) | 100 | 1000 |
+| `pro` | 500 | 10 000 |
+| `unlimited` | 10 000 | 1 000 000 |
+
+Headers on every response:
+
+- `X-RateLimit-Limit` / `-Remaining` / `-Reset` — bottleneck window (whichever has fewer calls left)
+- `X-RateLimit-Limit-Minute` / `-Remaining-Minute` / `-Reset-Minute`
+- `X-RateLimit-Limit-Day` / `-Remaining-Day` / `-Reset-Day`
+- `X-RateLimit-Tier` — your tier (`free`, `pro`, `unlimited`)
+
+A 429 additionally carries `Retry-After: <seconds>` for the window that denied the request.
+
+To request a higher tier, ping the admin — tier is bumped per key from the admin dashboard. Session-auth requests (playground) always count under `free` per user.
+
+### Checking usage without burning a slot
+
+```
+GET /api/v1/usage
+Authorization: Bearer arb_xxxxx
+```
+
+Returns the current rate-limit state for the calling key. This endpoint does **not** increment counters, so polling it is free.
+
+```json
+{
+  "tier": "free",
+  "admin": false,
+  "chat": {
+    "minute": { "limit": 100, "remaining": 99, "used": 1, "resetSeconds": 12 },
+    "day":    { "limit": 1000, "remaining": 999, "used": 1, "resetSeconds": 74012 }
+  },
+  "tool": {
+    "minute": { "limit": 100, "remaining": 100, "used": 0, "resetSeconds": 12 },
+    "day":    { "limit": 1000, "remaining": 1000, "used": 0, "resetSeconds": 74012 }
+  },
+  "recent": {
+    "calls24h": 17,
+    "lastCallAt": "2026-05-02T10:23:45.000Z",
+    "successRate": 1.0
+  }
+}
+```
+
+`recent` is sourced from `usage_logs` over the last 24h and is only populated for API-key auth (session-auth requests don't have a `keyId` to filter on, so `recent` is `null`).
+
+## Per-turn caps
+
+| Cap | Value |
 |---|---|
 | Max ReAct iterations per turn | 6 |
 | Max length-continuations per iteration | 3 |