feat: 添加API Key时间窗口限流功能并移除累计总量限制

- 新增时间窗口限流功能，支持按分钟设置时间窗口 - 支持在时间窗口内限制请求次数和Token使用量 - 移除原有的累计总量限制，只保留时间窗口限制 - Token统计包含所有4种类型：输入、输出、缓存创建、缓存读取 - 前端UI优化，明确显示限流参数的作用范围 - 限流触发时提供友好的错误提示和重置时间 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-23 21:17:30 +00:00 · 2025-07-20 15:58:00 +08:00
parent 0aa986a0d8
commit 088ce266ba
7 changed files with 224 additions and 16 deletions
--- a/src/middleware/auth.js
+++ b/src/middleware/auth.js
@@ -103,6 +103,95 @@ const authenticateApiKey = async (req, res, next) => {
      };
    }

+    // 检查时间窗口限流
+    const rateLimitWindow = validation.keyData.rateLimitWindow || 0;
+    const rateLimitRequests = validation.keyData.rateLimitRequests || 0;
+    
+    if (rateLimitWindow > 0 && (rateLimitRequests > 0 || validation.keyData.tokenLimit > 0)) {
+      const windowStartKey = `rate_limit:window_start:${validation.keyData.id}`;
+      const requestCountKey = `rate_limit:requests:${validation.keyData.id}`;
+      const tokenCountKey = `rate_limit:tokens:${validation.keyData.id}`;
+      
+      const now = Date.now();
+      const windowDuration = rateLimitWindow * 60 * 1000; // 转换为毫秒
+      
+      // 获取窗口开始时间
+      let windowStart = await redis.getClient().get(windowStartKey);
+      
+      if (!windowStart) {
+        // 第一次请求，设置窗口开始时间
+        await redis.getClient().set(windowStartKey, now, 'PX', windowDuration);
+        await redis.getClient().set(requestCountKey, 0, 'PX', windowDuration);
+        await redis.getClient().set(tokenCountKey, 0, 'PX', windowDuration);
+        windowStart = now;
+      } else {
+        windowStart = parseInt(windowStart);
+        
+        // 检查窗口是否已过期
+        if (now - windowStart >= windowDuration) {
+          // 窗口已过期，重置
+          await redis.getClient().set(windowStartKey, now, 'PX', windowDuration);
+          await redis.getClient().set(requestCountKey, 0, 'PX', windowDuration);
+          await redis.getClient().set(tokenCountKey, 0, 'PX', windowDuration);
+          windowStart = now;
+        }
+      }
+      
+      // 获取当前计数
+      const currentRequests = parseInt(await redis.getClient().get(requestCountKey) || '0');
+      const currentTokens = parseInt(await redis.getClient().get(tokenCountKey) || '0');
+      
+      // 检查请求次数限制
+      if (rateLimitRequests > 0 && currentRequests >= rateLimitRequests) {
+        const resetTime = new Date(windowStart + windowDuration);
+        const remainingMinutes = Math.ceil((resetTime - now) / 60000);
+        
+        logger.security(`🚦 Rate limit exceeded (requests) for key: ${validation.keyData.id} (${validation.keyData.name}), requests: ${currentRequests}/${rateLimitRequests}`);
+        
+        return res.status(429).json({
+          error: 'Rate limit exceeded',
+          message: `已达到请求次数限制 (${rateLimitRequests} 次)，将在 ${remainingMinutes} 分钟后重置`,
+          currentRequests,
+          requestLimit: rateLimitRequests,
+          resetAt: resetTime.toISOString(),
+          remainingMinutes
+        });
+      }
+      
+      // 检查Token使用量限制
+      const tokenLimit = parseInt(validation.keyData.tokenLimit);
+      if (tokenLimit > 0 && currentTokens >= tokenLimit) {
+        const resetTime = new Date(windowStart + windowDuration);
+        const remainingMinutes = Math.ceil((resetTime - now) / 60000);
+        
+        logger.security(`🚦 Rate limit exceeded (tokens) for key: ${validation.keyData.id} (${validation.keyData.name}), tokens: ${currentTokens}/${tokenLimit}`);
+        
+        return res.status(429).json({
+          error: 'Rate limit exceeded',
+          message: `已达到 Token 使用限制 (${tokenLimit} tokens)，将在 ${remainingMinutes} 分钟后重置`,
+          currentTokens,
+          tokenLimit,
+          resetAt: resetTime.toISOString(),
+          remainingMinutes
+        });
+      }
+      
+      // 增加请求计数
+      await redis.getClient().incr(requestCountKey);
+      
+      // 存储限流信息到请求对象
+      req.rateLimitInfo = {
+        windowStart,
+        windowDuration,
+        requestCountKey,
+        tokenCountKey,
+        currentRequests: currentRequests + 1,
+        currentTokens,
+        rateLimitRequests,
+        tokenLimit
+      };
+    }
+    
    // 将验证信息添加到请求对象（只包含必要信息）
    req.apiKey = {
      id: validation.keyData.id,
@@ -110,6 +199,8 @@ const authenticateApiKey = async (req, res, next) => {
      tokenLimit: validation.keyData.tokenLimit,
      claudeAccountId: validation.keyData.claudeAccountId,
      concurrencyLimit: validation.keyData.concurrencyLimit,
+      rateLimitWindow: validation.keyData.rateLimitWindow,
+      rateLimitRequests: validation.keyData.rateLimitRequests,
      enableModelRestriction: validation.keyData.enableModelRestriction,
      restrictedModels: validation.keyData.restrictedModels
    };
--- a/src/routes/admin.js
+++ b/src/routes/admin.js
@@ -33,6 +33,8 @@ router.post('/api-keys', authenticateAdmin, async (req, res) => {
      expiresAt,
      claudeAccountId,
      concurrencyLimit,
+      rateLimitWindow,
+      rateLimitRequests,
      enableModelRestriction,
      restrictedModels
    } = req.body;
@@ -58,6 +60,14 @@ router.post('/api-keys', authenticateAdmin, async (req, res) => {
    if (concurrencyLimit !== undefined && concurrencyLimit !== null && concurrencyLimit !== '' && (!Number.isInteger(Number(concurrencyLimit)) || Number(concurrencyLimit) < 0)) {
      return res.status(400).json({ error: 'Concurrency limit must be a non-negative integer' });
    }
+    
+    if (rateLimitWindow !== undefined && rateLimitWindow !== null && rateLimitWindow !== '' && (!Number.isInteger(Number(rateLimitWindow)) || Number(rateLimitWindow) < 1)) {
+      return res.status(400).json({ error: 'Rate limit window must be a positive integer (minutes)' });
+    }
+    
+    if (rateLimitRequests !== undefined && rateLimitRequests !== null && rateLimitRequests !== '' && (!Number.isInteger(Number(rateLimitRequests)) || Number(rateLimitRequests) < 1)) {
+      return res.status(400).json({ error: 'Rate limit requests must be a positive integer' });
+    }

    // 验证模型限制字段
    if (enableModelRestriction !== undefined && typeof enableModelRestriction !== 'boolean') {
@@ -75,6 +85,8 @@ router.post('/api-keys', authenticateAdmin, async (req, res) => {
      expiresAt,
      claudeAccountId,
      concurrencyLimit,
+      rateLimitWindow,
+      rateLimitRequests,
      enableModelRestriction,
      restrictedModels
    });
@@ -91,7 +103,7 @@ router.post('/api-keys', authenticateAdmin, async (req, res) => {
 router.put('/api-keys/:keyId', authenticateAdmin, async (req, res) => {
  try {
    const { keyId } = req.params;
-    const { tokenLimit, concurrencyLimit, claudeAccountId, enableModelRestriction, restrictedModels } = req.body;
+    const { tokenLimit, concurrencyLimit, rateLimitWindow, rateLimitRequests, claudeAccountId, enableModelRestriction, restrictedModels } = req.body;

    // 只允许更新指定字段
    const updates = {};
@@ -109,6 +121,20 @@ router.put('/api-keys/:keyId', authenticateAdmin, async (req, res) => {
      }
      updates.concurrencyLimit = Number(concurrencyLimit);
    }
+    
+    if (rateLimitWindow !== undefined && rateLimitWindow !== null && rateLimitWindow !== '') {
+      if (!Number.isInteger(Number(rateLimitWindow)) || Number(rateLimitWindow) < 0) {
+        return res.status(400).json({ error: 'Rate limit window must be a non-negative integer (minutes)' });
+      }
+      updates.rateLimitWindow = Number(rateLimitWindow);
+    }
+    
+    if (rateLimitRequests !== undefined && rateLimitRequests !== null && rateLimitRequests !== '') {
+      if (!Number.isInteger(Number(rateLimitRequests)) || Number(rateLimitRequests) < 0) {
+        return res.status(400).json({ error: 'Rate limit requests must be a non-negative integer' });
+      }
+      updates.rateLimitRequests = Number(rateLimitRequests);
+    }

    if (claudeAccountId !== undefined) {
      // 空字符串表示解绑，null或空字符串都设置为空字符串
--- a/src/routes/api.js
+++ b/src/routes/api.js
@@ -3,6 +3,7 @@ const claudeRelayService = require('../services/claudeRelayService');
 const apiKeyService = require('../services/apiKeyService');
 const { authenticateApiKey } = require('../middleware/auth');
 const logger = require('../utils/logger');
+const redis = require('../models/redis');

 const router = express.Router();

@@ -66,6 +67,15 @@ router.post('/v1/messages', authenticateApiKey, async (req, res) => {
            logger.error('❌ Failed to record stream usage:', error);
          });
          
+          // 更新时间窗口内的token计数
+          if (req.rateLimitInfo) {
+            const totalTokens = inputTokens + outputTokens + cacheCreateTokens + cacheReadTokens;
+            redis.getClient().incrby(req.rateLimitInfo.tokenCountKey, totalTokens).catch(error => {
+              logger.error('❌ Failed to update rate limit token count:', error);
+            });
+            logger.api(`📊 Updated rate limit token count: +${totalTokens} tokens`);
+          }
+          
          usageDataCaptured = true;
          logger.api(`📊 Stream usage recorded (real) - Model: ${model}, Input: ${inputTokens}, Output: ${outputTokens}, Cache Create: ${cacheCreateTokens}, Cache Read: ${cacheReadTokens}, Total: ${inputTokens + outputTokens + cacheCreateTokens + cacheReadTokens} tokens`);
        } else {
@@ -122,6 +132,13 @@ router.post('/v1/messages', authenticateApiKey, async (req, res) => {
          // 记录真实的token使用量（包含模型信息和所有4种token）
          await apiKeyService.recordUsage(req.apiKey.id, inputTokens, outputTokens, cacheCreateTokens, cacheReadTokens, model);
          
+          // 更新时间窗口内的token计数
+          if (req.rateLimitInfo) {
+            const totalTokens = inputTokens + outputTokens + cacheCreateTokens + cacheReadTokens;
+            await redis.getClient().incrby(req.rateLimitInfo.tokenCountKey, totalTokens);
+            logger.api(`📊 Updated rate limit token count: +${totalTokens} tokens`);
+          }
+          
          usageRecorded = true;
          logger.api(`📊 Non-stream usage recorded (real) - Model: ${model}, Input: ${inputTokens}, Output: ${outputTokens}, Cache Create: ${cacheCreateTokens}, Cache Read: ${cacheReadTokens}, Total: ${inputTokens + outputTokens + cacheCreateTokens + cacheReadTokens} tokens`);
        } else {
--- a/src/services/apiKeyService.js
+++ b/src/services/apiKeyService.js
@@ -19,6 +19,8 @@ class ApiKeyService {
      claudeAccountId = null,
      isActive = true,
      concurrencyLimit = 0,
+      rateLimitWindow = null,
+      rateLimitRequests = null,
      enableModelRestriction = false,
      restrictedModels = []
    } = options;
@@ -35,6 +37,8 @@ class ApiKeyService {
      apiKey: hashedKey,
      tokenLimit: String(tokenLimit ?? 0),
      concurrencyLimit: String(concurrencyLimit ?? 0),
+      rateLimitWindow: String(rateLimitWindow ?? 0),
+      rateLimitRequests: String(rateLimitRequests ?? 0),
      isActive: String(isActive),
      claudeAccountId: claudeAccountId || '',
      enableModelRestriction: String(enableModelRestriction),
@@ -57,6 +61,8 @@ class ApiKeyService {
      description: keyData.description,
      tokenLimit: parseInt(keyData.tokenLimit),
      concurrencyLimit: parseInt(keyData.concurrencyLimit),
+      rateLimitWindow: parseInt(keyData.rateLimitWindow || 0),
+      rateLimitRequests: parseInt(keyData.rateLimitRequests || 0),
      isActive: keyData.isActive === 'true',
      claudeAccountId: keyData.claudeAccountId,
      enableModelRestriction: keyData.enableModelRestriction === 'true',
@@ -94,14 +100,8 @@ class ApiKeyService {
        return { valid: false, error: 'API key has expired' };
      }

-      // 检查使用限制
+      // 获取使用统计（供返回数据使用）
      const usage = await redis.getUsageStats(keyData.id);
-      const tokenLimit = parseInt(keyData.tokenLimit);
-      
-      if (tokenLimit > 0 && usage.total.tokens >= tokenLimit) {
-        return { valid: false, error: 'Token limit exceeded' };
-      }
-

      // 更新最后使用时间（优化：只在实际API调用时更新，而不是验证时）
      // 注意：lastUsedAt的更新已移至recordUsage方法中
@@ -124,6 +124,8 @@ class ApiKeyService {
          claudeAccountId: keyData.claudeAccountId,
          tokenLimit: parseInt(keyData.tokenLimit),
          concurrencyLimit: parseInt(keyData.concurrencyLimit || 0),
+          rateLimitWindow: parseInt(keyData.rateLimitWindow || 0),
+          rateLimitRequests: parseInt(keyData.rateLimitRequests || 0),
          enableModelRestriction: keyData.enableModelRestriction === 'true',
          restrictedModels: restrictedModels,
          usage
@@ -145,6 +147,8 @@ class ApiKeyService {
        key.usage = await redis.getUsageStats(key.id);
        key.tokenLimit = parseInt(key.tokenLimit);
        key.concurrencyLimit = parseInt(key.concurrencyLimit || 0);
+        key.rateLimitWindow = parseInt(key.rateLimitWindow || 0);
+        key.rateLimitRequests = parseInt(key.rateLimitRequests || 0);
        key.currentConcurrency = await redis.getConcurrency(key.id);
        key.isActive = key.isActive === 'true';
        key.enableModelRestriction = key.enableModelRestriction === 'true';
@@ -172,7 +176,7 @@ class ApiKeyService {
      }

      // 允许更新的字段
-      const allowedUpdates = ['name', 'description', 'tokenLimit', 'concurrencyLimit', 'isActive', 'claudeAccountId', 'expiresAt', 'enableModelRestriction', 'restrictedModels'];
+      const allowedUpdates = ['name', 'description', 'tokenLimit', 'concurrencyLimit', 'rateLimitWindow', 'rateLimitRequests', 'isActive', 'claudeAccountId', 'expiresAt', 'enableModelRestriction', 'restrictedModels'];
      const updatedData = { ...keyData };

      for (const [field, value] of Object.entries(updates)) {
--- a/src/services/claudeRelayService.js
+++ b/src/services/claudeRelayService.js
@@ -23,7 +23,7 @@ class ClaudeRelayService {
    
    try {
      // 调试日志：查看API Key数据
-      logger.info(`🔍 API Key data received:`, {
+      logger.info('🔍 API Key data received:', {
        apiKeyName: apiKeyData.name,
        enableModelRestriction: apiKeyData.enableModelRestriction,
        restrictedModels: apiKeyData.restrictedModels,
@@ -448,7 +448,7 @@ class ClaudeRelayService {
  async relayStreamRequestWithUsageCapture(requestBody, apiKeyData, responseStream, clientHeaders, usageCallback) {
    try {
      // 调试日志：查看API Key数据（流式请求）
-      logger.info(`🔍 [Stream] API Key data received:`, {
+      logger.info('🔍 [Stream] API Key data received:', {
        apiKeyName: apiKeyData.name,
        enableModelRestriction: apiKeyData.enableModelRestriction,
        restrictedModels: apiKeyData.restrictedModels,
--- a/web/admin/app.js
+++ b/web/admin/app.js
@@ -117,6 +117,8 @@ const app = createApp({
                tokenLimit: '',
                description: '',
                concurrencyLimit: '',
+                rateLimitWindow: '',
+                rateLimitRequests: '',
                claudeAccountId: '',
                enableModelRestriction: false,
                restrictedModels: [],
@@ -158,6 +160,8 @@ const app = createApp({
                name: '',
                tokenLimit: '',
                concurrencyLimit: '',
+                rateLimitWindow: '',
+                rateLimitRequests: '',
                claudeAccountId: '',
                enableModelRestriction: false,
                restrictedModels: [],
@@ -1211,6 +1215,8 @@ const app = createApp({
                        tokenLimit: this.apiKeyForm.tokenLimit && this.apiKeyForm.tokenLimit.trim() ? parseInt(this.apiKeyForm.tokenLimit) : null,
                        description: this.apiKeyForm.description || '',
                        concurrencyLimit: this.apiKeyForm.concurrencyLimit && this.apiKeyForm.concurrencyLimit.trim() ? parseInt(this.apiKeyForm.concurrencyLimit) : 0,
+                        rateLimitWindow: this.apiKeyForm.rateLimitWindow && this.apiKeyForm.rateLimitWindow.trim() ? parseInt(this.apiKeyForm.rateLimitWindow) : null,
+                        rateLimitRequests: this.apiKeyForm.rateLimitRequests && this.apiKeyForm.rateLimitRequests.trim() ? parseInt(this.apiKeyForm.rateLimitRequests) : null,
                        claudeAccountId: this.apiKeyForm.claudeAccountId || null,
                        enableModelRestriction: this.apiKeyForm.enableModelRestriction,
                        restrictedModels: this.apiKeyForm.restrictedModels
@@ -1231,7 +1237,7 @@ const app = createApp({
                    
                    // 关闭创建弹窗并清理表单
                    this.showCreateApiKeyModal = false;
-                    this.apiKeyForm = { name: '', tokenLimit: '', description: '', concurrencyLimit: '', claudeAccountId: '', enableModelRestriction: false, restrictedModels: [], modelInput: '' };
+                    this.apiKeyForm = { name: '', tokenLimit: '', description: '', concurrencyLimit: '', rateLimitWindow: '', rateLimitRequests: '', claudeAccountId: '', enableModelRestriction: false, restrictedModels: [], modelInput: '' };
                    
                    // 重新加载API Keys列表
                    await this.loadApiKeys();
@@ -1275,6 +1281,8 @@ const app = createApp({
                name: key.name,
                tokenLimit: key.tokenLimit || '',
                concurrencyLimit: key.concurrencyLimit || '',
+                rateLimitWindow: key.rateLimitWindow || '',
+                rateLimitRequests: key.rateLimitRequests || '',
                claudeAccountId: key.claudeAccountId || '',
                enableModelRestriction: key.enableModelRestriction || false,
                restrictedModels: key.restrictedModels ? [...key.restrictedModels] : [],
@@ -1290,6 +1298,8 @@ const app = createApp({
                name: '',
                tokenLimit: '',
                concurrencyLimit: '',
+                rateLimitWindow: '',
+                rateLimitRequests: '',
                claudeAccountId: '',
                enableModelRestriction: false,
                restrictedModels: [],
@@ -1309,6 +1319,8 @@ const app = createApp({
                    body: JSON.stringify({
                        tokenLimit: this.editApiKeyForm.tokenLimit && this.editApiKeyForm.tokenLimit.toString().trim() !== '' ? parseInt(this.editApiKeyForm.tokenLimit) : 0,
                        concurrencyLimit: this.editApiKeyForm.concurrencyLimit && this.editApiKeyForm.concurrencyLimit.toString().trim() !== '' ? parseInt(this.editApiKeyForm.concurrencyLimit) : 0,
+                        rateLimitWindow: this.editApiKeyForm.rateLimitWindow && this.editApiKeyForm.rateLimitWindow.toString().trim() !== '' ? parseInt(this.editApiKeyForm.rateLimitWindow) : 0,
+                        rateLimitRequests: this.editApiKeyForm.rateLimitRequests && this.editApiKeyForm.rateLimitRequests.toString().trim() !== '' ? parseInt(this.editApiKeyForm.rateLimitRequests) : 0,
                        claudeAccountId: this.editApiKeyForm.claudeAccountId || null,
                        enableModelRestriction: this.editApiKeyForm.enableModelRestriction,
                        restrictedModels: this.editApiKeyForm.restrictedModels
--- a/web/admin/index.html
+++ b/web/admin/index.html
@@ -534,6 +534,16 @@
                                                            <span v-if="key.concurrencyLimit > 0" class="text-xs text-gray-500">/ {{ key.concurrencyLimit }}</span>
                                                        </span>
                                                    </div>
+                                                    <!-- 时间窗口限流 -->
+                                                    <div v-if="key.rateLimitWindow > 0" class="flex justify-between text-sm">
+                                                        <span class="text-gray-600">时间窗口:</span>
+                                                        <span class="font-medium text-indigo-600">{{ key.rateLimitWindow }} 分钟</span>
+                                                    </div>
+                                                    <!-- 请求次数限制 -->
+                                                    <div v-if="key.rateLimitRequests > 0" class="flex justify-between text-sm">
+                                                        <span class="text-gray-600">请求限制:</span>
+                                                        <span class="font-medium text-indigo-600">{{ key.rateLimitRequests }} 次/窗口</span>
+                                                    </div>
                                                    <!-- 输入/输出Token -->
                                                    <div class="flex justify-between text-xs text-gray-500">
                                                        <span>输入: {{ formatNumber((key.usage && key.usage.total && key.usage.total.inputTokens) || 0) }}</span>
@@ -1792,14 +1802,38 @@
                    </div>
                    
                    <div>
-                        <label class="block text-sm font-semibold text-gray-700 mb-3">Token 限制 (可选)</label>
+                        <label class="block text-sm font-semibold text-gray-700 mb-3">时间窗口 (可选)</label>
+                        <input 
+                            v-model="apiKeyForm.rateLimitWindow" 
+                            type="number" 
+                            min="1"
+                            placeholder="留空表示无限制" 
+                            class="form-input w-full"
+                        >
+                        <p class="text-xs text-gray-500 mt-2">设置时间窗口（分钟），在此时间内限制请求次数或Token使用量</p>
+                    </div>
+                    
+                    <div>
+                        <label class="block text-sm font-semibold text-gray-700 mb-3">请求次数限制 (可选)</label>
+                        <input 
+                            v-model="apiKeyForm.rateLimitRequests" 
+                            type="number" 
+                            min="1"
+                            placeholder="留空表示无限制" 
+                            class="form-input w-full"
+                        >
+                        <p class="text-xs text-gray-500 mt-2">在时间窗口内允许的最大请求次数</p>
+                    </div>
+                    
+                    <div>
+                        <label class="block text-sm font-semibold text-gray-700 mb-3">时间窗口内 Token 限制 (可选)</label>
                        <input 
                            v-model="apiKeyForm.tokenLimit" 
                            type="number" 
                            placeholder="留空表示无限制" 
                            class="form-input w-full"
                        >
-                        <p class="text-xs text-gray-500 mt-2">设置此 API Key 的最大 token 使用量</p>
+                        <p class="text-xs text-gray-500 mt-2">设置在时间窗口内的最大 Token 使用量（需同时设置时间窗口）</p>
                    </div>
                    
                    <div>
@@ -1951,7 +1985,31 @@
                    </div>
                    
                    <div>
-                        <label class="block text-sm font-semibold text-gray-700 mb-3">Token 限制</label>
+                        <label class="block text-sm font-semibold text-gray-700 mb-3">时间窗口</label>
+                        <input 
+                            v-model="editApiKeyForm.rateLimitWindow" 
+                            type="number" 
+                            min="1"
+                            placeholder="留空表示无限制" 
+                            class="form-input w-full"
+                        >
+                        <p class="text-xs text-gray-500 mt-2">设置时间窗口（分钟），在此时间内限制请求次数或Token使用量</p>
+                    </div>
+                    
+                    <div>
+                        <label class="block text-sm font-semibold text-gray-700 mb-3">请求次数限制</label>
+                        <input 
+                            v-model="editApiKeyForm.rateLimitRequests" 
+                            type="number" 
+                            min="1"
+                            placeholder="留空表示无限制" 
+                            class="form-input w-full"
+                        >
+                        <p class="text-xs text-gray-500 mt-2">在时间窗口内允许的最大请求次数</p>
+                    </div>
+                    
+                    <div>
+                        <label class="block text-sm font-semibold text-gray-700 mb-3">时间窗口内 Token 限制</label>
                        <input 
                            v-model="editApiKeyForm.tokenLimit" 
                            type="number" 
@@ -1959,7 +2017,7 @@
                            placeholder="0 表示无限制" 
                            class="form-input w-full"
                        >
-                        <p class="text-xs text-gray-500 mt-2">设置此 API Key 的最大 token 使用量，0 或留空表示无限制</p>
+                        <p class="text-xs text-gray-500 mt-2">设置在时间窗口内的最大 Token 使用量（需同时设置时间窗口），0 或留空表示无限制</p>
                    </div>
                    
                    <div>