diff --git a/internal/check/engine.go b/internal/check/engine.go
index 26d197d04..ff2c398d5 100644
--- a/internal/check/engine.go
+++ b/internal/check/engine.go
@@ -115,7 +115,7 @@ func (e *Engine) checkOneIndirectionFurther(
 
 func (e *Engine) SubjectIsAllowed(ctx context.Context, r *relationtuple.InternalRelationTuple, restDepth int) (bool, error) {
 	// global max-depth takes precedence when it is the lesser or if the request max-depth is less than or equal to 0
-	if globalMaxDepth := e.d.Config().ReadAPIMaxDepth(); restDepth <= 0 || globalMaxDepth < restDepth {
+	if globalMaxDepth := e.d.Config().MaxReadDepth(); restDepth <= 0 || globalMaxDepth < restDepth {
 		restDepth = globalMaxDepth
 	}
 
diff --git a/internal/check/engine_test.go b/internal/check/engine_test.go
index 3e34975cf..a23df6eae 100644
--- a/internal/check/engine_test.go
+++ b/internal/check/engine_test.go
@@ -93,7 +93,7 @@ func TestEngine(t *testing.T) {
 		}
 
 		// global max-depth defaults to 5
-		assert.Equal(t, reg.Config().ReadAPIMaxDepth(), 5)
+		assert.Equal(t, reg.Config().MaxReadDepth(), 5)
 
 		// req max-depth takes precedence, max-depth=2 is not enough
 		res, err := e.SubjectIsAllowed(context.Background(), userHasAccess, 2)
@@ -106,13 +106,13 @@ func TestEngine(t *testing.T) {
 		assert.True(t, res)
 
 		// global max-depth takes precedence and max-depth=2 is not enough
-		require.NoError(t, reg.Config().Set(config.KeyReadMaxDepth, 2))
+		require.NoError(t, reg.Config().Set(config.KeyLimitMaxReadDepth, 2))
 		res, err = e.SubjectIsAllowed(context.Background(), userHasAccess, 3)
 		require.NoError(t, err)
 		assert.False(t, res)
 
 		// global max-depth takes precedence and max-depth=3 is enough
-		require.NoError(t, reg.Config().Set(config.KeyReadMaxDepth, 3))
+		require.NoError(t, reg.Config().Set(config.KeyLimitMaxReadDepth, 3))
 		res, err = e.SubjectIsAllowed(context.Background(), userHasAccess, 0)
 		require.NoError(t, err)
 		assert.True(t, res)
diff --git a/internal/driver/config/config.schema.json b/internal/driver/config/config.schema.json
index 9d65d46bb..59e26b2a1 100644
--- a/internal/driver/config/config.schema.json
+++ b/internal/driver/config/config.schema.json
@@ -232,14 +232,6 @@
             },
             "tls": {
               "$ref": "#/definitions/tlsx"
-            },
-            "max-depth": {
-              "type": "integer",
-              "default": 5,
-              "title": "Global maximum depth",
-              "description": "The global maximum depth on all read operations. This can be decreased for a request by a value specified on the request, this applies only if the request-specific value is greater than 1 and less than the global maximum depth.",
-              "minimum": 1,
-              "maximum": 65535
             }
           }
         },
@@ -310,6 +302,22 @@
         }
       ]
     },
+    "limit": {
+      "type": "object",
+      "title": "Limits",
+      "description": "Limits aiming to control the resource consumption. These limits are not a sufficient replacement for rate-limiting.",
+      "properties": {
+        "max_read_depth": {
+          "type": "integer",
+          "default": 5,
+          "title": "Global maximum read depth",
+          "description": "The global maximum depth on all read operations. Note that this does not affect how deeply nested the tuples can be. This value can be decreased for a request by a value specified on the request, only if the request-specific value is greater than 1 and less than the global maximum depth.",
+          "minimum": 1,
+          "maximum": 65535
+        }
+      },
+      "additionalProperties": false
+    },
     "version": {
       "type": "string",
       "title": "The Keto version this config is written for.",
diff --git a/internal/driver/config/provider.go b/internal/driver/config/provider.go
index c566b26ff..9d82f6469 100644
--- a/internal/driver/config/provider.go
+++ b/internal/driver/config/provider.go
@@ -29,9 +29,9 @@ var Schema []byte
 const (
 	KeyDSN = "dsn"
 
-	KeyReadMaxDepth = "serve.read.max-depth"
-	KeyReadAPIHost  = "serve.read.host"
-	KeyReadAPIPort  = "serve.read.port"
+	KeyLimitMaxReadDepth = "limit.max_read_depth"
+	KeyReadAPIHost       = "serve.read.host"
+	KeyReadAPIPort       = "serve.read.port"
 
 	KeyWriteAPIHost = "serve.write.host"
 	KeyWriteAPIPort = "serve.write.port"
@@ -140,8 +140,8 @@ func (k *Config) ReadAPIListenOn() string {
 	)
 }
 
-func (k *Config) ReadAPIMaxDepth() int {
-	return k.p.Int(KeyReadMaxDepth)
+func (k *Config) MaxReadDepth() int {
+	return k.p.Int(KeyLimitMaxReadDepth)
 }
 
 func (k *Config) WriteAPIListenOn() string {
diff --git a/internal/expand/engine.go b/internal/expand/engine.go
index f290884f3..17ec18532 100644
--- a/internal/expand/engine.go
+++ b/internal/expand/engine.go
@@ -32,7 +32,7 @@ func NewEngine(d EngineDependencies) *Engine {
 
 func (e *Engine) BuildTree(ctx context.Context, subject relationtuple.Subject, restDepth int) (*Tree, error) {
 	// global max-depth takes precedence when it is the lesser or if the request max-depth is less than or equal to 0
-	if globalMaxDepth := e.d.Config().ReadAPIMaxDepth(); restDepth <= 0 || globalMaxDepth < restDepth {
+	if globalMaxDepth := e.d.Config().MaxReadDepth(); restDepth <= 0 || globalMaxDepth < restDepth {
 		restDepth = globalMaxDepth
 	}