User/Password Authentication Rate Limits
To protect the overall health of the system, Auth0 employs user/password rate limits that mitigate load. Auth0's high degree of customization can put us at risk of service degradation. Causes can include:
High-load stress tests
Benchmark tests
Inefficient code that causes users to log in multiple times
Requests are subject to limits as outlined in the Rate Limit Policy for Auth0 APIs.
In addition, there is a same user login rate limit: If one IP address makes 20 login attempts in one minute to the same user account, the rate limit comes into effect. After that, Auth0 allows the user 10 attempts per minute. Any combination of successful and failed login attempts count toward this limit.
Limits that protect users
Auth0's brute-force protection and suspicious IP throttling can also limit logins and signups, but are independent of rate limits. To learn more about how Auth0 detects and handles potentially malicious anomalies, read Attack Protection.