Authentication API Endpoint Rate Limits

Authentication API Endpoint Rate Limits

Effective Date: 19 May 2020

Each Authentication API endpoint is configured with a bucket that defines the request limit and rate limit window (per second, per minute, per day, etc.).

bucket:
    size: x
    per_minute: y

Was this helpful?

/

For example, the above states that, for the given bucket, there is a maximum request limit of x per minute, and for each minute that elapses, permissions for y requests are added back. In other words, for each 60/y seconds, one additional request is added to the bucket. This occurs automatically until the bucket contains the maximum permitted number of requests.

For some API endpoints, the rate limits are defined per bucket, so the origins of the call do not influence the rate limit changes. For other buckets, the rate limits are defined using different keys, so the originating IP address is considered when counting the number of received API calls.

If you are using an API endpoint not listed below and you receive rate limit headers as part of your response, read Attack Protection for more information.

Limits for production tenants of paying customers

Endpoint Path Limited By Rate Limit
All Endpoints All Authentication API endpoints Sum of all combined requests to any Authentication API endpoint 100 requests per second
User Profile /tokeninfo (Legacy) IP Address 800 requests per minute
/userinfo User ID 5 requests per minute with bursts up to 10 requests
Delegation /delegation User ID, IP Address 1 request per minute with bursts of up to 10 requests
Change Password /dbconnections/change_password User Email, IP Address 1 request per minute with bursts up to 10 requests
Signup /dbconnections/signup IP Address 50 requests per minute
Get Passwordless Code or Link /passwordless/start IP Address 50 requests per hour when using non-authenticated calls. For authenticated clients, we do not apply this rate limit and the global limits are enforced (considered an Authentication API endpoint). Upon request, we can enforce this limit on authenticated clients for Universal Login.
Classic Experience with MFA /login and others Sum of all combined requests to any Authentication API endpoint 100 requests per second

Limits for non-production tenants of paying customers and all tenants of free customers

Endpoint Path Limited By Rate Limit
User Profile /tokeninfo (Legacy) IP Address 800 requests per minute
/userinfo User ID 5 requests per minute with bursts up to 10 requests
Delegation /delegation User ID, IP Address 1 request per minute with bursts of up to 10 requests
Change Password /dbconnections/change_password User Email, IP Address 1 request per minute with bursts up to 10 requests
Signup /dbconnections/signup IP Address 50 requests per minute
Get Passwordless Code or Link /passwordless/start IP Address 50 requests per hour
Get Token /oauth/token Any request 30 requests per second
Cross Origin Authentication /co/authenticate Any request 5 requests per second
Authentication /usernamepassword/login Any request 5 requests per second
Resource Owner (Legacy) /oauth/ro Any request 10 requests per second
JSON Web Token Keys /.well-known/jwks.json Any request 20 requests per second

Free tenant global limits

To ensure Auth0's quality of service, the Authentication API is subject to several levels of rate limiting for free subscribers. Auth0's Authentication API has a global limit of 300 requests per minute for free tenants. The limit is global for the tenant and not per endpoint. The global rate limit applies to all Authentication API endpoints.

Affected endpoints

The global rate limit applies to all Authentication API endpoints. A complete list of endpoints that are affected by this limit, along with the associated response if the rate limit is exceeded, is a follows:

Endpoint Response
GET /authorize Error Page
GET /passwordless/verify_redirect Error Page
POST /dbconnections/change_password JSON Error (too_many_requests)
GET /dbconnections/change_password JSON Error (too_many_requests)
POST /dbconnections/self_change_password JSON Error (too_many_requests)
POST /co/authenticate JSON Error (access_denied)
POST /delegation JSON Error (too_many_requests)
GET /delegation JSON Error (too_many_requests)
GET /activate Error Page
POST /activate Error Page
POST /oauth/device/code JSON Error (access_denied)
POST /oauth/ro JSON Error (access_denied)
GET /oauth/ro JSON Error (access_denied)
POST /oauth/token JSON Error (access_denied)
POST /oauth/introspect JSON Error (access_denied)
GET /passwordless/start JSON Error (too_many_requests)
POST /passwordless/start JSON Error (too_many_requests)
POST /u/reset-password/request/:connection Error Page
GET /u/consent Error Page
POST /u/consent Error Page
GET /u/login Error Page
POST /u/login Error Page
GET /u/mfa-country-codes Error Page
POST /u/mfa-country-codes Error Page
GET /u/mfa-email-challenge Error Page
POST /u/mfa-email-challenge Error Page
GET /u/mfa-email-enrollment Error Page
POST /u/mfa-email-enrollment Error Page
GET /u/mfa-email-enrollment-verify Error Page
POST /u/mfa-email-enrollment-verify Error Page
GET /u/mfa-email-list Error Page
POST /u/mfa-email-list Error Page
GET /u/mfa-enroll-options Error Page
POST /u/mfa-enroll-options Error Page
GET /u/mfa-guardian-list Error Page
POST /u/mfa-guardian-list Error Page
GET /u/mfa-guardian-welcome Error Page
POST /u/mfa-guardian-welcome Error Page
GET /u/mfa-login-options Error Page
POST /u/mfa-login-options Error Page
GET /u/mfa-otp-challenge Error Page
POST /u/mfa-otp-challenge Error Page
GET /u/mfa-otp-enrollment Error Page
POST /u/mfa-otp-enrollment Error Page
GET /u/mfa-push-challenge Error Page
POST /u/mfa-push-challenge Error Page
GET /u/mfa-push-enrollment Error Page
POST /u/mfa-push-enrollment Error Page
GET /u/mfa-recovery-code-challenge Error Page
POST /u/mfa-recovery-code-challenge Error Page
GET /u/mfa-recovery-code-challenge-new-code Error Page
POST /u/mfa-recovery-code-challenge-new-code Error Page
GET /u/mfa-recovery-code-enrollment Error Page
POST /u/mfa-recovery-code-enrollment Error Page
GET /u/mfa-sms-challenge Error Page
POST /u/mfa-sms-challenge Error Page
GET /u/mfa-sms-enrollment Error Page
POST /u/mfa-sms-enrollment Error Page
GET /u/mfa-sms-enrollment-verify Error Page
POST /u/mfa-sms-enrollment-verify Error Page
GET /u/mfa-sms-list Error Page
POST /u/mfa-sms-list Error Page
GET /u/reset-password Error Page
POST /u/reset-password Error Page
GET /u/reset-password/request/:connection Error Page
GET /u/signup Error Page
POST /u/signup Error Page
GET /tokeninfo Text: "Rate limit exceed"
POST /tokeninfo Text: "Rate limit exceed"
POST /userinfo Text: "Rate limit exceed"
GET /userinfo Text: "Rate limit exceed"
POST /usernamepassword/login JSON Error (too_many_requests)
GET /usernamepassword/login JSON Error (too_many_requests)
GET /.well-known/jwks.json Text: "Rate limit exceed"
GET /.well-known/openid-configuration JSON Error (access_denied)
GET /cer/:clientID? Text: "Rate limit exceed"
GET /pb7/:clientID? Text: "Rate limit exceed"
GET /pem/:clientID? Text: "Rate limit exceed"
GET /rawpem/:clientID? Text: "Rate limit exceed"
GET /samlp/:clientID Text: "Rate limit exceed"
POST /samlp/:clientID Text: "Rate limit exceed"
GET /samlp/metadata Text: "Rate limit exceed"
GET /samlp/metadata/:clientID Text: "Rate limit exceed"
GET /:clientID/trust/mex XML Error (wst:RequestFailed)
POST /:clientID/trust/usernamemixed XML Error (wst:RequestFailed, Status Code: 500)
GET /decision Error Page
POST /decision Error Page
POST /drwatson Text: "Rate limit exceed"
POST /mfa/associate JSON Error (access_denied)
GET /mfa/authenticators JSON Error (access_denied)
DELETE /mfa/authenticators/:authenticator_id JSON Error (access_denied)
POST /mfa/challenge JSON Error (access_denied)
GET /oauth/access_token JSON Error (access_denied)
POST /oauth/access_token JSON Error (access_denied)
GET /p/:strategy/:ticket Text: "Rate limit exceed"
POST /p/:strategy/:ticket Text: "Rate limit exceed"
GET /p/:strategy/:ticket/info Text: "Rate limit exceed"
GET /passwordless/verify JSON Error (too_many_requests)
POST /passwordless/verify JSON Error (too_many_requests)
GET /rms Error Page
GET /rms/:clientID/adfs/fs/federationserverservice.asmx XML Error (fed:BadRequest)
POST /rms/:clientID/adfs/fs/federationserverservice.asmx XML Error (fed:BadRequest)
GET /rms/:clientID/FederationMetadata/2007-06/FederationMetadata.xml JSON Error (too_many_requests)
GET /samlp/:clientID/logout Error Page
POST /samlp/:clientID/logout Error Page
GET /samlp/idp/slo Text: "Rate limit exceed"
GET /sso_dbconnection_popup/:clientID JSON Error (access_denied)
GET /wsfed Error Page
GET /wsfed/:clientID Error Page
GET /wsfed/:clientID/FederationMetadata/2007-06/FederationMetadata.xml Error Page
GET /wsfed/FederationMetadata/2007-06/FederationMetadata.xml Error Page
GET /.well-known/apple-app-site-association JSON Error (access_denied)
GET /.well-known/assetlinks.json JSON Error (access_denied)
GET /adfs/fs/federationserverservice.asmx XML Error (fed:BadRequest)
POST /adfs/fs/federationserverservice.asmx XML Error (fed:BadRequest)
GET /apple-app-site-association JSON Error (access_denied)
GET /aws-saml/metadata Text: "Rate limit exceed"
GET /changepwd/completed JSON Error (too_many_requests)
GET /changepwd/form Error Page
POST /changepwd/reset JSON Error (too_many_requests)
POST /co/verify Text: "Rate limit exceed"
GET /continue Error Page
POST /continue Error Page
GET /custom-login/preview JSON Error (too_many_requests)
POST /dbconnections/delete JSON Error (too_many_requests)
GET /dbconnections/login JSON Error (too_many_requests)
POST /dbconnections/login JSON Error (too_many_requests)
GET /dbconnections/signup JSON Error (too_many_requests)
POST /dbconnections/signup JSON Error (too_many_requests)
POST /dbconnections/verify_email JSON Error (too_many_requests)
GET /FederationMetadata/2007-06/FederationMetadata.xml XML Error (fed:BadRequest)
GET /i/login Error Page
GET /i/login/sso/:provider Text: "Rate limit exceed"
GET /i/oauth2/authorize JSON Error (access_denied)
GET /login Error Page
GET /login/callback Error Page
POST /login/callback Error Page
GET /logout Error Page
POST /logout Error Page
GET /mf Error Page
POST /mf Error Page
POST /oauth/reverse JSON Error (access_denied)
POST /oauth/revoke JSON Error (access_denied)
POST /state/introspect JSON Error (too_many_requests)
GET /unblock Error Page
POST /unlink JSON Error (too_many_requests)
GET /user/ssodata Text: "Rate limit exceed"
GET /users/:id/impersonate JSON Error (too_many_requests)
POST /users/:id/impersonate JSON Error (too_many_requests)
GET /v2/logout Error Page

Private Cloud rate limit policies

Private Cloud customer rate limits are specific to your service tier. All values are measured in Requests per Second.

API Basic Performance Performance Plus
Authentication API by Prod Tenant 100 500 1500
Authentication API protection by tenant 100 500 1500

Private cloud has different global limits for the Authentication API, all service specific enterprise rate limits still apply.

Exceeded rate limit responses

If you exceed the rate limit for a given API endpoint, you'll receive an HTTP 429 (Too Many Requests) response. The response will also contain HTTP Response Headers that provide additional information on the rate limits applicable to that endpoint.

If you exceed the global rate limit, the following example log entry will be emitted to your logs: You have reached the global limit for your account. There will be a single log entry per hour while your account exceeds the rate limit. To view the log entries for a subscription, navigate the to Logs page in the Dashboard.

The response body you receive depends on the endpoint. Each endpoint typically provides a return value in a different format (for example, some return an HTTP response, while others redirect to a URL and pass values in the query string). If the endpoint typically provides the response expected as JSON in the HTTP body, then a JSON error response will be sent if a rate limit is reached. To learn more, review the Review HTTP response headers section of our Rate Limit Policy.

Error page

The error page response is sent for endpoints that render HTML content to the end user. When you exceed the rate limit, Auth0 renders the error page instead of the expected content.

JSON error

Endpoints that usually provide JSON-formatted responses will return a JSON object containing an error code and description.

{
  "error": "access_denied or too_many_requests",
  "error_description": "Global rate limit exceeded",
  "error_uri": "https://.../... documentation url"
}

Was this helpful?

/

The error you receive depends on the type of endpoint you're calling:

  • access_denied: for OAuth endpoints

  • too_many_requests: for endpoints that return JSON

XML error

XML Errors are returned for endpoints that normally return XML.

<env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope" ...>
 <env:Body>
  <env:Fault>
   <env:Code>
     <env:Value>env:Sender</env:Value>
     <env:Subcode>
      <env:Value>fed:BadRequest or wst:RequestFailed</env:Value>
     </env:Subcode>
   </env:Code>
   <env:Reason>
     <env:Text xml:lang="en">Global rate limit exceeded</env:Text>
   </env:Reason>
   <env:Detail>
   </env:Detail>
  </env:Fault>
 </env:Body>
</env:Envelope>

Was this helpful?

/

The error you receive depends on the type of endpoint you're calling:

  • fed:BadRequest will be sent for WSFed-related endpoints.

  • wst:RequestFailed will be used in for WSTrust-related endpoints.

Recommendations to reduce calls to Auth0

When you exceed your rate limits, you'll need to reduce the number of calls you make to Auth0. The specifics depend on your use case, but here are some recommendations:

  • Cache /.well-known/* responses: This information does not change frequently, so you can usually cache it to reduce the number of times you need to call Auth0.

  • Consider requesting an id_token instead of calling /userinfo to get information about the user.

  • Reduce bulk calls, such as bulk delete or bulk unlock.

Learn more