Rate Limit Policy
Auth0 limits the use of services to assure optimal performance and protection from bad actors, technical errors, or excessive legitimate traffic. We recommend you review how Auth0 enforces limits to configure your application for the best user experience.
To find rate limits associated with your account, see Rate Limit Configurations for a matrix of all rate limit policies.
Introduction to Rate Limits
Auth0 enforces limitations to protect services from excessive requests and protect customers from service interruptions or degradation.
Auth0 observes, and in many cases, enforces an array of limits, including:
Requests to environments (Private Cloud Only)
Requests to tenants via API or API Endpoint
Miscellaneous Limits
Environment request limits (Private Cloud Only)
In Private Cloud, environment request limits are based on the Private Cloud Performance Tier. To learn more, read Private Cloud for AWS or Private Cloud for Azure.
Currently, Private Cloud environment rate limits represent the highest load under which the Auth0 product will meet SLAs. However, at this time, Auth0 only enforces and notifies customers when rate limits have been exceeded on a specific tenant within the environment. Under most Private Cloud use cases, where customers maintain a single Production Tenant, this is not a problem; however, use cases that provision more than one production tenant should consider the expected load across all tenants in the environment and implement additional monitoring as necessary.
| Feature | Authentication API | All Other APIs (including Management API) |
|---|---|---|
| Tenant Rate Limits | All tenants consume from a shared, environment-wide global limit for the API, but the environment rate limit is a hard cap. Exceeding the environment limit due to the combined load across tenants will result in rate limiting of the excess requests. | Tenant rate limits are enforced independently, and the environment rate limit acts as a threshold for potential performance degradation and SLA impact, but does not directly cause rate limiting at the tenant level. |
| Environment Rate Limit Exceeded (Example) | With an environment limit of 1500 rps, Tenant 1 at 1400 rps and Tenant 2 at 900 rps (combined 2300 rps) will result in 800 requests being rate limited. | With an environment limit of 1500 rps, Tenant 1 at 1400 rps and Tenant 2 at 900 rps (combined 2300 rps) will not cause individual tenants to be rate limited, but the overall environment may experience degraded performance and potential SLA issues. |
Exceeding an environment rate limit invalidates the Service Level Agreement (SLA).
For Private Cloud load testing considerations, refer to Private Cloud on AWS and Private Cloud on Azure.
Tenant request limits
Auth0 limits the number of requests that can be made on a tenant. These limits are configured depending on the API, and further by specific endpoints on each API.
API rate limits
Auth0 limits the number of requests to a specific API, regardless of the API endpoint. API limits may vary by:
API
Authentication
Management
Tenant type (Production vs. Development or Staging)
Subscription level (Free, Essential, Professional, Enterprise Public vs. Private)
For example, a free, non-production tenant could have different limits than a production tenant with a paid subscription. For specific rate limit configurations, see Rate Limit Configurations.
User requests
A single end user request (e.g., Login or Signup) typically initiates multiple requests to Authentication API Endpoints. The actual ratio of end user requests to Authentication API depends upon a handful of factors:
Entity Being Authenticated (e.g., Machine or End User Mobile or Desktop Application)
Authentication Experience (e.g., New Universal Login or Classic Login)
Authentication Flow (e.g., Login, Signup, or Change Password)
Authentication Flow Type (e.g., Login via Username / Password; Login via Social Login; Login when an existing Authentication Token already exists)
Customers leveraging Extensibility could add still more requests, not only to the Authentication API, but also the Management API, depending on the Extensibility Configuration. See Rate Limit Use Cases for guidance on how to estimate how your Auth0 configuration can impact your API usage.
Endpoint rate limits
Auth0 limits the number of requests made to API endpoints and, in some cases, the number of endpoint operations. API endpoint limits also vary by:
API
Tenant type
Subscription level
For example, a free, non-production tenant has different limits than a production tenant with a paid subscription.
Tenant request limits order
As requests to your tenant are made, Auth0 evaluates requests against the global limit for the API, and then evaluates requests against the rate limit for specific API endpoints.
Miscellaneous Limits
Database login limits
For database connections, Auth0 limits certain types of repeat login attempts depending on the user account and IP address. To protect the overall health of the system, Auth0 employs user/password rate limits that mitigate load. Auth0's high degree of customization can put us at risk of service degradation. Causes can include:
High-load stress tests
Benchmark tests
Inefficient code that causes users to log in multiple times
Requests are subject to limits as outlined in the individual policies for Auth0 APIs.
In addition, there is a same user login rate limit: If one IP address makes 20 login attempts in one minute to the same user account, the rate limit comes into effect. After that, Auth0 allows the user 10 attempts per minute. Any combination of successful and failed login attempts count toward this limit.
Limits that protect users
Auth0's brute-force protection and suspicious IP throttling can also limit logins and signups, but are independent of rate limits. To learn more about how Auth0 detects and handles potentially malicious anomalies, read Attack Protection.
SMS message limits for multi-factor authentication (end-users only)
If you attempt to send more than 10 SMS messages to your device within one hour, you will receive an error message about a rate limit exception.
When you exceed your messaging limit, you need to wait at least one hour after the first message request before requesting another. You will receive an additional attempt after the passage of each additional hour.
Native social login limits
Limits applied to Native Social login flow requests are identified based on the body of the requests with the following initial criteria:
| Request Type | Body |
|---|---|
grant_type |
urn:ietf:params:oauth:grant-type:token-exchange |
subject_token_type |
http://auth0.com/oauth/token-type/apple-authz-code |
Public Performance Burst
The Public Performance Burst offering is an available add-on to enterprise subscriptions that enhances an existing Public Cloud deployment. This offering allows a dynamic increase of the Authentication API request limit to a multiplier of the default enterprise request limit of 100 RPS for up to 48 hours monthly.
This add-on only extends the Authentication API request limits and does NOT apply to the Management API or other endpoints that are rate-limited outside the scope of the Authentication API.
Currently, there are three Public Performance Burst modifiers (2x, 3x, and 4x) allowing 200, 300, and 400 RPS, respectively, for the Authentication API for up to 48 hours monthly. The 48 hours are counted and deducted from the monthly allowed quota in 5-minute intervals, which enables usage of the API at the multiplier level for 576 5-minute intervals each month.
When the volume of requests for the Authentication API exceeds the default of 100 RPS, a 5-minute interval is deducted from the monthly allowance, and traffic is allowed at the rate associated with the multiplier. Traffic can stay within the multiplier range for the complete contiguous 5 minutes from that point without triggering additional deductions.
Monitoring of the interval deduction events is possible through tenant logs. Each deduction generates an associated `appi` tenant log event type containing information about the already consumed and remaining allowance.
For more information, see the Authentication API section in Rate Limits - Enterprise.
Private Performance Burst
Private Performance Burst offering (available AWS for 30x and 60x tiers currently) includes a burst (peak) performance capacity up to 30x (3,000 RPS) or 60x (6,000 RPS) for up to 80 hours per month. The base performance capacity, which is half of burst performance capacity, is available for the rest of the month.
In other words, 30x Private Performance Burst has:
Base capacity: 1,500 RPS for full month
Burst/peak capacity: 3,000 RPS for up to 80 hours a month
If the Authentication transactions burst above the Base API-Request limit, then one hour is deducted from the monthly allowance. Traffic could stay at an elevated rate for the complete contiguous hour from that point. Additional deductions are done in the above fashion when the threshold is crossed again.
Once the 80 hours allowance is exhausted, the Authentication traffic will be rate limited to base capacity till the new monthly allowance takes effect.
Extensibility concurrency limits
To ensure system availability and fair use of system resources, Auth0 limits the number of concurrent in-flight requests across all extensibility products: Actions, Hooks, Rules, Custom Database Connections, Extensions, and Custom OAuth2 connections. Tenants that exceed their concurrent request limits should expect errors for new requests until in-flight requests are completed. The concurrency limits are defined below:
| Subscription | Concurrency limit (per Tenant) |
|---|---|
| Public Cloud | 250 |
| Tier Dev Private Cloud | 100 |
| Private Cloud Basic 100 RPS (1x) | 200 |
| Private Cloud Performance 500 RPS (5x) | 400 |
| Private Cloud Performance 1500 RPS (15x) | 1200 |
| Private Cloud Performance 3000 RPS (30x) and 3000 RPS Burst (30x Burst) | 1200 |
| Private Cloud Performance 6000 RPS (60x) and 6000 RPS Burst (60x Burst) | 1200 |
Concurrency can be calculated by multiplying expected RPS by the latency of each request. For example, a tenant that has two bound post-login Actions, which each take 250ms with a total login RPS of 400 have an expected concurrency of (2 * (400 requests / 1 second) * (.25 seconds / 1 request)) = 200.
To ensure that your tenant is not impacted by these concurrency limits, please ensure that potentially long-running extensibility logic, such as calls to external APIs, have reasonable timeouts.
Rate limit algorithm
Auth0 sets rate limits and burst limits for its APIs. While the rate limit is the maximum sustainable amount of traffic the system allows on a sustained basis, the burst limit is the maximum short-term traffic volume the system allows within one time interval. Auth0 rate limits and burst limits work together to provide better limiting functionality for dynamic traffic volume.
Auth0 rate limits use a token bucket algorithm containing the following configurations:
Limit keys:
Typically, a rate limit key is based on a two main factors:
API and endpoint
Tenant type
In some cases, additional factors include:
Source IP
Target User ID
Limit values:
Bucket size: The maximum number of requests an API or endpoint receives in general, or receives from a specific user or IP address, before new requests are added.
Refill rate: The rate new requests are added to the bucket.
From these two numbers, Auth0 calculates the burst limit and sustained rate limit:
Burst limit: Equal to bucket size.
Sustained rate limit: Refill rate in requests per minute or second.
If the sustained rate limit is calculated in Requests per Second, new requests are added by milliseconds. If the sustained rate limit is calculated in Requests per Minute, new requests are added on a second basis.