Authentication API Endpoint Rate Limits
Effective Date: 19 May 2020
Each Authentication API endpoint is configured with a bucket that defines the request limit and rate limit window (per second, per minute, per day, etc.).
bucket:
size: x
per_minute: yWas this helpful?
For example, the above states that, for the given bucket, there is a maximum request limit of x per minute, and for each minute that elapses, permissions for y requests are added back. In other words, for each 60/y seconds, one additional request is added to the bucket. This occurs automatically until the bucket contains the maximum permitted number of requests.
For some API endpoints, the rate limits are defined per bucket, so the origins of the call do not influence the rate limit changes. For other buckets, the rate limits are defined using different keys, so the originating IP address is considered when counting the number of received API calls.
Auth0 endpoint calls related to user login transactions are typically spread out over several seconds. Therefore a typical user login that uses 5 endpoint calls per transaction would not all occur in the same second. You can confirm this behavior in your own environment as part of a load test.
If you are using an API endpoint not listed below and you receive rate limit headers as part of your response, read Attack Protection for more information.
Well-known endpoints are cached by Auth0 for several seconds so not all requests will count towards your rate limit. You can inspect the cache-control HTTP response header for details.
Limits for production tenants of paying customers
| Endpoint | Path | Limited By | Rate Limit |
|---|---|---|---|
| All Endpoints | All Authentication API endpoints | Sum of all combined requests to any Authentication API endpoint | 100 requests per second |
| User Profile | /tokeninfo (Legacy) |
IP Address | 800 requests per minute |
/userinfo |
User ID | 5 requests per minute with bursts up to 10 requests | |
| Delegation | /delegation |
User ID, IP Address | 1 request per minute with bursts of up to 10 requests |
| Change Password | /dbconnections/change_password |
User Email, IP Address | 1 request per minute with bursts up to 10 requests |
| Signup | /dbconnections/signup |
IP Address | 50 requests per minute |
| Get Passwordless Code or Link | /passwordless/start |
IP Address | 50 requests per hour when using non-authenticated calls. For authenticated clients, we do not apply this rate limit and the global limits are enforced (considered an Authentication API endpoint). Upon request, we can enforce this limit on authenticated clients for Universal Login. |
| Classic Experience with MFA | /login and others |
Sum of all combined requests to any Authentication API endpoint | 100 requests per second |
Limits for non-production tenants of paying customers and all tenants of free customers
| Endpoint | Path | Limited By | Rate Limit |
|---|---|---|---|
| User Profile | /tokeninfo (Legacy) |
IP Address | 800 requests per minute |
/userinfo |
User ID | 5 requests per minute with bursts up to 10 requests | |
| Delegation | /delegation |
User ID, IP Address | 1 request per minute with bursts of up to 10 requests |
| Change Password | /dbconnections/change_password |
User Email, IP Address | 1 request per minute with bursts up to 10 requests |
| Signup | /dbconnections/signup |
IP Address | 50 requests per minute |
| Get Passwordless Code or Link | /passwordless/start |
IP Address | 50 requests per hour |
| Get Token | /oauth/token |
Any request | 30 requests per second |
| Cross Origin Authentication | /co/authenticate |
Any request | 5 requests per second |
| Authentication | /usernamepassword/login |
Any request | 5 requests per second |
| Resource Owner (Legacy) | /oauth/ro |
Any request | 10 requests per second |
| JSON Web Token Keys | /.well-known/jwks.json |
Any request | 20 requests per second |
Free tenant global limits
To ensure Auth0's quality of service, the Authentication API is subject to several levels of rate limiting for free subscribers. Auth0's Authentication API has a global limit of 300 requests per minute for free tenants. The limit is global for the tenant and not per endpoint. The global rate limit applies to all Authentication API endpoints.
Affected endpoints
The global rate limit applies to all Authentication API endpoints. A complete list of endpoints that are affected by this limit, along with the associated response if the rate limit is exceeded, is a follows:
| Endpoint | Response |
|---|---|
GET /authorize |
Error Page |
GET /passwordless/verify_redirect |
Error Page |
POST /dbconnections/change_password |
JSON Error (too_many_requests) |
GET /dbconnections/change_password |
JSON Error (too_many_requests) |
POST /dbconnections/self_change_password |
JSON Error (too_many_requests) |
POST /co/authenticate |
JSON Error (access_denied) |
POST /delegation |
JSON Error (too_many_requests) |
GET /delegation |
JSON Error (too_many_requests) |
GET /activate |
Error Page |
POST /activate |
Error Page |
POST /oauth/device/code |
JSON Error (access_denied) |
POST /oauth/ro |
JSON Error (access_denied) |
GET /oauth/ro |
JSON Error (access_denied) |
POST /oauth/token |
JSON Error (access_denied) |
POST /oauth/introspect |
JSON Error (access_denied) |
GET /passwordless/start |
JSON Error (too_many_requests) |
POST /passwordless/start |
JSON Error (too_many_requests) |
POST /u/reset-password/request/:connection |
Error Page |
GET /u/consent |
Error Page |
POST /u/consent |
Error Page |
GET /u/login |
Error Page |
POST /u/login |
Error Page |
GET /u/mfa-country-codes |
Error Page |
POST /u/mfa-country-codes |
Error Page |
GET /u/mfa-email-challenge |
Error Page |
POST /u/mfa-email-challenge |
Error Page |
GET /u/mfa-email-enrollment |
Error Page |
POST /u/mfa-email-enrollment |
Error Page |
GET /u/mfa-email-enrollment-verify |
Error Page |
POST /u/mfa-email-enrollment-verify |
Error Page |
GET /u/mfa-email-list |
Error Page |
POST /u/mfa-email-list |
Error Page |
GET /u/mfa-enroll-options |
Error Page |
POST /u/mfa-enroll-options |
Error Page |
GET /u/mfa-guardian-list |
Error Page |
POST /u/mfa-guardian-list |
Error Page |
GET /u/mfa-guardian-welcome |
Error Page |
POST /u/mfa-guardian-welcome |
Error Page |
GET /u/mfa-login-options |
Error Page |
POST /u/mfa-login-options |
Error Page |
GET /u/mfa-otp-challenge |
Error Page |
POST /u/mfa-otp-challenge |
Error Page |
GET /u/mfa-otp-enrollment |
Error Page |
POST /u/mfa-otp-enrollment |
Error Page |
GET /u/mfa-push-challenge |
Error Page |
POST /u/mfa-push-challenge |
Error Page |
GET /u/mfa-push-enrollment |
Error Page |
POST /u/mfa-push-enrollment |
Error Page |
GET /u/mfa-recovery-code-challenge |
Error Page |
POST /u/mfa-recovery-code-challenge |
Error Page |
GET /u/mfa-recovery-code-challenge-new-code |
Error Page |
POST /u/mfa-recovery-code-challenge-new-code |
Error Page |
GET /u/mfa-recovery-code-enrollment |
Error Page |
POST /u/mfa-recovery-code-enrollment |
Error Page |
GET /u/mfa-sms-challenge |
Error Page |
POST /u/mfa-sms-challenge |
Error Page |
GET /u/mfa-sms-enrollment |
Error Page |
POST /u/mfa-sms-enrollment |
Error Page |
GET /u/mfa-sms-enrollment-verify |
Error Page |
POST /u/mfa-sms-enrollment-verify |
Error Page |
GET /u/mfa-sms-list |
Error Page |
POST /u/mfa-sms-list |
Error Page |
GET /u/reset-password |
Error Page |
POST /u/reset-password |
Error Page |
GET /u/reset-password/request/:connection |
Error Page |
GET /u/signup |
Error Page |
POST /u/signup |
Error Page |
GET /tokeninfo |
Text: "Rate limit exceed" |
POST /tokeninfo |
Text: "Rate limit exceed" |
POST /userinfo |
Text: "Rate limit exceed" |
GET /userinfo |
Text: "Rate limit exceed" |
POST /usernamepassword/login |
JSON Error (too_many_requests) |
GET /usernamepassword/login |
JSON Error (too_many_requests) |
GET /.well-known/jwks.json |
Text: "Rate limit exceed" |
GET /.well-known/openid-configuration |
JSON Error (access_denied) |
GET /cer/:clientID? |
Text: "Rate limit exceed" |
GET /pb7/:clientID? |
Text: "Rate limit exceed" |
GET /pem/:clientID? |
Text: "Rate limit exceed" |
GET /rawpem/:clientID? |
Text: "Rate limit exceed" |
GET /samlp/:clientID |
Text: "Rate limit exceed" |
POST /samlp/:clientID |
Text: "Rate limit exceed" |
GET /samlp/metadata |
Text: "Rate limit exceed" |
GET /samlp/metadata/:clientID |
Text: "Rate limit exceed" |
GET /:clientID/trust/mex |
XML Error (wst:RequestFailed) |
POST /:clientID/trust/usernamemixed |
XML Error (wst:RequestFailed, Status Code: 500) |
GET /decision |
Error Page |
POST /decision |
Error Page |
POST /drwatson |
Text: "Rate limit exceed" |
POST /mfa/associate |
JSON Error (access_denied) |
GET /mfa/authenticators |
JSON Error (access_denied) |
DELETE /mfa/authenticators/:authenticator_id |
JSON Error (access_denied) |
POST /mfa/challenge |
JSON Error (access_denied) |
GET /oauth/access_token |
JSON Error (access_denied) |
POST /oauth/access_token |
JSON Error (access_denied) |
GET /p/:strategy/:ticket |
Text: "Rate limit exceed" |
POST /p/:strategy/:ticket |
Text: "Rate limit exceed" |
GET /p/:strategy/:ticket/info |
Text: "Rate limit exceed" |
GET /passwordless/verify |
JSON Error (too_many_requests) |
POST /passwordless/verify |
JSON Error (too_many_requests) |
GET /rms |
Error Page |
GET /rms/:clientID/adfs/fs/federationserverservice.asmx |
XML Error (fed:BadRequest) |
POST /rms/:clientID/adfs/fs/federationserverservice.asmx |
XML Error (fed:BadRequest) |
GET /rms/:clientID/FederationMetadata/2007-06/FederationMetadata.xml |
JSON Error (too_many_requests) |
GET /samlp/:clientID/logout |
Error Page |
POST /samlp/:clientID/logout |
Error Page |
GET /samlp/idp/slo |
Text: "Rate limit exceed" |
GET /sso_dbconnection_popup/:clientID |
JSON Error (access_denied) |
GET /wsfed |
Error Page |
GET /wsfed/:clientID |
Error Page |
GET /wsfed/:clientID/FederationMetadata/2007-06/FederationMetadata.xml |
Error Page |
GET /wsfed/FederationMetadata/2007-06/FederationMetadata.xml |
Error Page |
GET /.well-known/apple-app-site-association |
JSON Error (access_denied) |
GET /.well-known/assetlinks.json |
JSON Error (access_denied) |
GET /adfs/fs/federationserverservice.asmx |
XML Error (fed:BadRequest) |
POST /adfs/fs/federationserverservice.asmx |
XML Error (fed:BadRequest) |
GET /apple-app-site-association |
JSON Error (access_denied) |
GET /aws-saml/metadata |
Text: "Rate limit exceed" |
GET /changepwd/completed |
JSON Error (too_many_requests) |
GET /changepwd/form |
Error Page |
POST /changepwd/reset |
JSON Error (too_many_requests) |
POST /co/verify |
Text: "Rate limit exceed" |
GET /continue |
Error Page |
POST /continue |
Error Page |
GET /custom-login/preview |
JSON Error (too_many_requests) |
POST /dbconnections/delete |
JSON Error (too_many_requests) |
GET /dbconnections/login |
JSON Error (too_many_requests) |
POST /dbconnections/login |
JSON Error (too_many_requests) |
GET /dbconnections/signup |
JSON Error (too_many_requests) |
POST /dbconnections/signup |
JSON Error (too_many_requests) |
POST /dbconnections/verify_email |
JSON Error (too_many_requests) |
GET /FederationMetadata/2007-06/FederationMetadata.xml |
XML Error (fed:BadRequest) |
GET /i/login |
Error Page |
GET /i/login/sso/:provider |
Text: "Rate limit exceed" |
GET /i/oauth2/authorize |
JSON Error (access_denied) |
GET /login |
Error Page |
GET /login/callback |
Error Page |
POST /login/callback |
Error Page |
GET /logout |
Error Page |
POST /logout |
Error Page |
GET /mf |
Error Page |
POST /mf |
Error Page |
POST /oauth/reverse |
JSON Error (access_denied) |
POST /oauth/revoke |
JSON Error (access_denied) |
POST /state/introspect |
JSON Error (too_many_requests) |
GET /unblock |
Error Page |
POST /unlink |
JSON Error (too_many_requests) |
GET /user/ssodata |
Text: "Rate limit exceed" |
GET /users/:id/impersonate |
JSON Error (too_many_requests) |
POST /users/:id/impersonate |
JSON Error (too_many_requests) |
GET /v2/logout |
Error Page |
Private Cloud rate limit policies
Private Cloud customer rate limits are specific to your service tier. All values are measured in Requests per Second.
| API | Basic | Performance | Performance Plus |
|---|---|---|---|
| Authentication API by Prod Tenant | 100 | 500 | 1500 |
| Authentication API protection by tenant | 100 | 500 | 1500 |
Private cloud has different global limits for the Authentication API, all service specific enterprise rate limits still apply.
Exceeded rate limit responses
If you exceed the rate limit for a given API endpoint, you'll receive an HTTP 429 (Too Many Requests) response. The response will also contain HTTP Response Headers that provide additional information on the rate limits applicable to that endpoint.
If you exceed the global rate limit, the following example log entry will be emitted to your logs: You have reached the global limit for your account. There will be a single log entry per hour while your account exceeds the rate limit. To view the log entries for a subscription, navigate the to Logs page in the Dashboard.
The response body you receive depends on the endpoint. Each endpoint typically provides a return value in a different format (for example, some return an HTTP response, while others redirect to a URL and pass values in the query string). If the endpoint typically provides the response expected as JSON in the HTTP body, then a JSON error response will be sent if a rate limit is reached. To learn more, review the Review HTTP response headers section of our Rate Limit Policy.
Error page
The error page response is sent for endpoints that render HTML content to the end user. When you exceed the rate limit, Auth0 renders the error page instead of the expected content.
JSON error
Endpoints that usually provide JSON-formatted responses will return a JSON object containing an error code and description.
{
"error": "access_denied or too_many_requests",
"error_description": "Global rate limit exceeded",
"error_uri": "https://.../... documentation url"
}Was this helpful?
The error you receive depends on the type of endpoint you're calling:
access_denied: for OAuth endpointstoo_many_requests: for endpoints that return JSON
XML error
XML Errors are returned for endpoints that normally return XML.
<env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope" ...>
<env:Body>
<env:Fault>
<env:Code>
<env:Value>env:Sender</env:Value>
<env:Subcode>
<env:Value>fed:BadRequest or wst:RequestFailed</env:Value>
</env:Subcode>
</env:Code>
<env:Reason>
<env:Text xml:lang="en">Global rate limit exceeded</env:Text>
</env:Reason>
<env:Detail>
</env:Detail>
</env:Fault>
</env:Body>
</env:Envelope>Was this helpful?
The error you receive depends on the type of endpoint you're calling:
fed:BadRequestwill be sent for WSFed-related endpoints.wst:RequestFailedwill be used in for WSTrust-related endpoints.
Recommendations to reduce calls to Auth0
When you exceed your rate limits, you'll need to reduce the number of calls you make to Auth0. The specifics depend on your use case, but here are some recommendations:
Cache
/.well-known/*responses: This information does not change frequently, so you can usually cache it to reduce the number of times you need to call Auth0.Consider requesting an
id_tokeninstead of calling/userinfoto get information about the user.Reduce bulk calls, such as bulk delete or bulk unlock.