Auth0 API Rate Limit Policy

To ensure the quality of Auth0's services, the Auth0 API is subject to rate limiting.

If you are looking for information on the rate limits on user logins click here.


Depending on the API endpoint, the request limit and the rate limit window in which the request limit resets varies.

Each endpoint is configured with a bucket that defines:

  • the request limit
  • the rate limit window (per second, per minute, per hour, etc.)
    size: x
    per_minute: y

For example, the above states that, for the given bucket, there is a maximum request limit of x per minute, and for each minute that elapses, permissions for y requests are added back. In other words, for each 60 / y seconds, one additional request is added to the bucket. This occurs automatically until the bucket contains the maximum permitted number of requests.

For some API endpoints, the rate limits are defined per bucket, so the origins of the call do not influence the rate limit changes. For other buckets, the rate limits are defined using different keys, so the originating IP address is considered when counting the number of received API calls.

Exceeding the Rate Limit

If you exceed the provided rate limit for a given API endpoint, you will receive the 429 Too Many Requests response with the following message:

    "message": "Too many requests. Check the X-RateLimit-Limit, X-RateLimit-Remaining and X-RateLimit-Reset headers."

Actions such as rapidly updating configuration settings, aggressive polling, or making highy concurrent API calls may result in your app being rate limited.

If your app triggers the rate limit, please refrain from making additional requests until the appropriate amount of time has elapsed.

HTTP Response Headers

API requests to selected Authentication or Management API endpoints will return HTTP Response Headers that provide relevant data on where you are at for a given rate limit. If you receive a rate limit-related response header, it will include numeric information detailing your status.

  • X-RateLimit-Limit: Request limit
  • X-RateLimit-Remaining: Requests available for the current time frame
  • X-RateLimit-Reset: Time until the rate limit resets (in UTC epoch seconds)

Endpoints with Rate Limits

If you are using an API endpoint not listed below and you receive rate limit headers as part of your response, please see the page on Anomaly Detection for additional information.

Management API v2

Please note that there is a 50 requests per second limit on all Management API v2 calls per tenant. This includes calls made via Rules. The limit is set by tenant and not by endpoint.

The following Auth0 Management API endpoints return rate limit-related headers. For additional information about these endpoints, please consult the Management API explorer.

Client Grants /client-grants /client-grants /client-grants/{id} /client-grants/{id}
Clients /client
/client /client/{id} /client/{id}
Connections /connections
/connections /connections/{id}
Device Credentials /device-credentials /device-credentials /device-credentials/{id}
Logs /logs
Rules /rules
/rules /rules/{id} /rules/{id}
User Blocks /user-blocks
Users /users
Emails /emails/provider /emails/provider /emails/provider
Jobs /jobs/{id}
Resource Servers /resource-servers
/resource-servers /resource-servers/{id} /resource-servers/{id}
Stats /stats/active-users
Tenants /tenants/settings /tenants/settings

Authentication API

The following Auth0 Authentication API endpoints return rate limit-related headers:

Endpoint GET POST
User Profile /userinfo /tokeninfo
Delegated Authentication* /delegation
Database and Active Directory / LDAP Authentication /dbconnections/change_password

*The /delegation endpoint limits up to 10 requests per minute from the same IP address with the same user_id