Administrator-Guide.md

@@ -85,6 +85,8 @@ The API needs the following environmental variables for the setup:
 - `SSO_LEADERSHIP_GROUP`: the SSO group name for leadership access.
 - `SSO_GROUPS_KEY`: the key found in user token indicating the list of groups a user is part of (this can include `SSO_ADMIN_GROUP`, `SSO_LEADERSHIP_GROUP` values in the list). This list will determine what SSO permissions a user has. For example, if `SSO_GROUPS_KEY="foo"` and `SSO_ADMIN_GROUP="bar"` is set, then the API will try and check the user token (as a sample token json `{"foo": ["bar"]}`) to determine if user is admin which in this case the user is admin.
 - `SSO_USERNAME_KEY`: the key found in user token indicating the user's username. For example, if the `SSO_USERNAME_KEY="foo"` is set, then the API would get the username by checking the token (as a sample token json `{"foo": "bar"}`) for `foo` as key. In this case, the username would be `bar`.
+- `RATE_LIMITS`: how often an IP address can make requests of the API. Defaults to `300/day,50/hour`. The format can be seen here: https://flask-limiter.readthedocs.io/en/stable/configuration.html#rate-limit-string-notation
+- `RATE_LIMITING_IP_WHITELIST`: a comma-delineated list of IP addresses to exempt from rate limiting.
 - `OPENAPI_VERSION`: the open api version for the app to use.
 - `MODE`: the mode of operation for the app (can be "production" or "development")