Defensive cap on concurrent in-flight OAuth authorizations. Sized well above any realistic
single-user burst; hitting it cancels the oldest unsettled authorization, which is destructive,
so the cap deliberately leaves headroom over typical and pathological-but-legitimate scenarios.
Shared across frontends; multi-tenant deployments should run one backend per user.
Defensive cap on concurrent in-flight OAuth authorizations. Sized well above any realistic single-user burst; hitting it cancels the oldest unsettled authorization, which is destructive, so the cap deliberately leaves headroom over typical and pathological-but-legitimate scenarios. Shared across frontends; multi-tenant deployments should run one backend per user.