Rate Limit Policy

Effective Date: 18 June 2020

Actions such as rapidly updating configuration settings, aggressive polling, or making highly concurrent API calls may result in your app being rate limited.

Auth0's rate limits vary based on the tenant type you have. The tenants that have no credit card associated in the Dashboard are free. There are also variations in terms of paid tenant types (e.g., non-production, production). To set an environment for your tenant (development, staging or production), go to Dashboard > Settings > General, find the Environment Tag section, set the environment type, and save changes.

To ensure the quality of Auth0's services, the Auth0 APIs are subject to rate limiting. Depending on the API endpoint, the request limit and the rate limit window in which the request limit resets, varies.

Using the Management API for free and trial tenants is restricted to 2 requests per second (with bursts of up to 10 requests). Exceeding these values triggers an HTTP 429 (Too Many Requests) response, but the error message states, "Global limit has been reached." These are in addition to those indicated in the rate limit response headers.

If your app triggers the rate limit, please refrain from making additional requests until the appropriate amount of time has elapsed.

To learn more each endpoint limitation, read Management API Endpoints and Authentication API Endpoints.

Private Cloud customers rate limits depend on the service tier. Refer to the Management API and Authentication API rate limit policies for Private Cloud.

Auth0 reserves the right to modify the rate limits at any time. For the up-to-date information on rate limits, you can review the HTTP response headers returned from rate-limited endpoints.

API requests to selected Authentication or Management API endpoints will return HTTP response headers that provide relevant data on the current status of your rate limits for that endpoint. If you receive a rate limit-related response header, it will include numeric information detailing your status.

• x-ratelimit-limit: The maximum number of requests available in the current time frame.

• x-ratelimit-remaining: The number of remaining requests in the current time frame.

• x-ratelimit-reset: A UNIX timestamp of the expected time when the rate limit will reset.

You should add logic to handle cases in which you exceed the provided rate limits and receive the HTTP Status Code 429 (Too Many Requests). In this case, if a retry is needed, it is best to allow for a back-off to avoid going into an infinite retry loop.

For scripts and rules that call Auth0 APIs, you should always handle rate limiting by checking the x-ratelimit-remaining header and acting appropriately when the number returned nears 0.

For database connections, Auth0 limits certain types of repeat login attempts depending on the user account and IP address. To learn more, read Rate Limits on User/Password Authentication.

If you attempt to send more than ten SMS messages to your device within one hour, you will receive an error message about a rate limit exception.

When you exceed your messaging limit, you'll need to wait at least an hour after your request for your first message before requesting another. You will receive an additional attempt after the passage of each additional hour.

Limits are only applied to requests related to the Native Social Login flows, which are identified based on the body of the requests with the following initial criteria:

• Management API Endpoint Rate Limits
• Authentication API Endpoint Rate Limits
• Entity Limit Policy