Management API Endpoint Rate Limits
Effective Date: 19 May 2020
The rate limits for this API differ depending on whether your tenant is free or paid, and whether your tenant is tagged as production or not. For more information on environment tags, read Set Up Multiple Environments.
| Tenant Type | Sustained Requests per Second |
|---|---|
| Free or Trial (Production) | 2 |
| Free or Trial (Non-production) | <1 |
| Self Service (Production) | 16 |
| Self Service (Non-production) | <1 |
| Enterprise (Production) | 16 |
| Enterprise (Non-production) | <1 |
There is burst capability built into the limits so if traffic briefly exceeds the sustained rate limits it will not be limited. See Understand Rate Limits Burst Capability for details on rate limit behavior when the sustained limits are exceeded. The rate limits include calls made via Rules and are set by tenant and not by endpoint. Each endpoint is configured with a bucket that defines request limit and the rate limit window (per second, per minute, per day, etc.).
For some API endpoints, the rate limits are defined per bucket, so the origins of the call do not influence the rate limit changes. For other buckets, the rate limits are defined using different keys, so the originating IP address is considered when counting the number of received API calls.
If you are using an API endpoint not listed below and you receive rate limit headers as part of your response, see Attack Protection for more information.
The following Auth0 Management API endpoints return rate limit-related headers. For additional information about these endpoints, please consult the Management API explorer.
Enterprise and Startup subscription limits
Most endpoints are rate limited to 50 rps (requests per second) and 1000 rpm (requests per minute). Endpoints with additional rate limits are documented below:
| Endpoint Group | Path | Rate Limit (per second) | Rate Limit (per minute) |
|---|---|---|---|
| Read organizations | GET /api/v2/organizations |
10 | 100 |
GET /api/v2/organizations/{id} |
|||
| Read user's organizations | GET /api/v2/users/{id}/organizations |
40 | 500 |
| Get organization by name | GET /api/v2/organizations/name/{name} |
20 | 200 |
| Write organizations | POST /api/v2/organizations |
5 | 150 |
PATCH /api/v2/organizations/{id} |
5 | 150 | |
DELETE /api/v2/organizations/{id} |
5 | 150 | |
| Read organization members | GET /api/v2/organizations/{id}/members |
40 | 500 |
GET /api/v2/organizations/{id}/invitations |
40 | 500 | |
| Write organization members | POST /api/v2/organizations/{id}/members |
20 | 200 |
POST /api/v2/organizations/{id}/invitations |
20 | 200 | |
DELETE /api/v2/organizations/{id}/members |
20 | 200 | |
DELETE /api/v2/organizations/{id}/invitations/{invitation_id} |
20 | 200 | |
| Read organization member invitation | GET /api/v2/organizations/{id}/invitations/{invitation_id} |
20 | 200 |
| Read organization member roles | GET /api/v2/organizations/{id}/members/{user_id}/roles |
20 | 200 |
| Write organization member roles | POST /api/v2/organizations/{id}/members/{user_id}/roles |
20 | 200 |
DELETE /api/v2/organizations/{id}/members/{user_id}/roles |
20 | 200 | |
| Read organization connections | GET /api/v2/organizations/{id}/enabled_connections/ |
10 | 100 |
GET /api/v2/organizations/{id}/enabled_connections/{connection_id} |
10 | 100 | |
| Write organization connections | POST /api/v2/organizations/{id}/enabled_connections |
5 | 150 |
PATCH /api/v2/organizations/{id}/enabled_connections/{connection_id} |
5 | 150 | |
DELETE /api/v2/organizations/{id}/enabled_connections |
5 | 150 |
Self-service subscription limits
| Endpoint Group | Path | Rate Limit (per second) | Rate Limit (per minute) |
|---|---|---|---|
| Read users | GET /api/v2/users |
40 | 500 |
GET /api/v2/users-by-email |
|||
GET /api/v2/users/{id} |
|||
| Write users | POST /api/v2/users |
20 | 200 |
POST /api/v2/users/{id}/identities |
|||
PATCH /api/v2/users/{id} |
|||
DELETE /api/v2/connections/{id}/users |
|||
DELETE /api/v2/users/{id}/identities/{provider}/{user_id} |
|||
DELETE /api/v2/users/{id} |
|||
| Read logs | GET /api/v2/logs |
10 | 100 |
GET /api/v2/logs/{id} |
|||
GET /api/v2/users/{id}/logs |
|||
| Read clients | GET /api/v2/clients |
5 | 100 |
GET /api/v2/clients/{id} |
|||
| Read connections | GET /api/v2/connections |
10 | 100 |
GET /api/v2/connections/{id} |
|||
| Write device credentials | POST /api/v2/device-credentials |
5 | 100 |
DELETE /api/v2/device-credentials/{id} |
|||
| All other endpoints combined | 10 | 150 |
Endpoint limits for all subscriptions
| Endpoint | Path | Rate Limit (per second) | Rate Limit (per minute) | Rate Limit (per day) |
|---|---|---|---|---|
| Verify custom domain | POST /api/v2/custom-domains{id}/verify |
n/a | 5 | n/a |
| Register dynamic client | POST /oidc/register |
5 | n/a | n/a |
| Read connection status | GET /api/v2/connections/{id}/status |
15 | n/a | n/a |
| Rotate signing keys | POST /api/v2/keys/signing/rotate |
n/a | n/a | 5 |
Concurrent import users job limits
The create import users job endpoint has a limit of 2 concurrent import jobs. If you request additional jobs while there are 2 pending returns, the following response occurs:
{
"statusCode": 429,
"error": "Too Many Requests",
"message": "There are 2 active import users jobs, please wait until some of them are finished and try again
}Was this helpful?
Access token limits for single-page applications
If you obtain access tokens for your single-page applications (SPAs), there are rate limits that are applicable when working with the available current_user-related scopes and endpoints. You are allowed a maximum of 10 requests per minute per user.
Private Cloud rate limit policies
Private Cloud customer rate limits are specific to your service tier. All values are measured in Requests per Second.
| API | Basic | Performance | Performance Plus |
|---|---|---|---|
| Management API Prod | 50 | 250 | 750 |
| Management API Dev | 25 | 125 | 375 |
| Tenant Per Minutes | 3000 | 15000 | 45000 |
Private cloud has different global limits for the Management API, all service specific enterprise rate limits still apply.