Auth0 API Rate Limit Policy

To ensure the quality of Auth0's services, the Auth0 APIs are subject to rate limiting.

If you are looking for information on the rate limits on user logins, refer to Rate Limits on User/Password Authentication.


Depending on the API endpoint, the request limit and the rate limit window in which the request limit resets, varies.

Each endpoint is configured with a bucket that defines:

  • the request limit, and
  • the rate limit window (per second, per minute, per hour, etc.)
    size: x
    per_minute: y

For example, the above states that, for the given bucket, there is a maximum request limit of x per minute, and for each minute that elapses, permissions for y requests are added back. In other words, for each 60 / y seconds, one additional request is added to the bucket. This occurs automatically until the bucket contains the maximum permitted number of requests.

For some API endpoints, the rate limits are defined per bucket, so the origins of the call do not influence the rate limit changes. For other buckets, the rate limits are defined using different keys, so the originating IP address is considered when counting the number of received API calls.

Exceeding the Rate Limit

If you exceed the provided rate limit for a given API endpoint, you will receive the 429 Too Many Requests response with the following message:

    "message": "Too many requests. Check the X-RateLimit-Limit, X-RateLimit-Remaining and X-RateLimit-Reset headers."

Actions such as rapidly updating configuration settings, aggressive polling, or making highy concurrent API calls may result in your app being rate limited.

If your app triggers the rate limit, please refrain from making additional requests until the appropriate amount of time has elapsed.

HTTP Response Headers

API requests to selected Authentication or Management API endpoints will return HTTP Response Headers that provide relevant data on where you are at for a given rate limit. If you receive a rate limit-related response header, it will include numeric information detailing your status.

  • X-RateLimit-Limit: Request limit
  • X-RateLimit-Remaining: Requests available for the current time frame
  • X-RateLimit-Reset: Time until the rate limit resets (in UTC epoch seconds)

Endpoints with Rate Limits

If you are using an API endpoint not listed below and you receive rate limit headers as part of your response, please see the page on Anomaly Detection for additional information.

Management API v2

The rate limits for this API defer depending on whether your tenant is free or paid, production or not.

  • The tenants that have no credit card associated in the Dashboard are free.
  • To set an environment for your tenant (development, staging or production), go to Support Center > Tenants, find your tenant, select Assign Environment Tag, set the environment and save changes.

The following rate limits apply:

  • For all free tenants, usage of the Management API is restricted to 2 requests per second (and bursts up to 10 requests). This policy goes into effect on Tuesday, September 12 at 1PM PT.
  • For non-production tenants of enterprise customers, usage of the Management API is restricted to 2 requests per second (and bursts up to 10 requests). This policy goes into effect on Tuesday, September 19 at 1PM PT.
  • For paid tenants, usage of the Management API is restricted to 50 requests per second.

The aforementioned rate limits include calls made via Rules.

Note, that the limit is set by tenant and not by endpoint, and that it does not apply to Private Instance deployments.

The following Auth0 Management API endpoints return rate limit-related headers. For additional information about these endpoints, please consult the Management API explorer.

Client Grants /client-grants /client-grants /client-grants/{id} /client-grants/{id}
Clients /client
/client /client/{id} /client/{id}
Connections /connections
/connections /connections/{id}
Device Credentials /device-credentials /device-credentials /device-credentials/{id}
Logs /logs
Rules /rules
/rules /rules/{id} /rules/{id}
User Blocks /user-blocks
Users /users
Emails /emails/provider /emails/provider /emails/provider
Jobs /jobs/{id}
Resource Servers /resource-servers
/resource-servers /resource-servers/{id} /resource-servers/{id}
Stats /stats/active-users
Tenants /tenants/settings /tenants/settings

Authentication API

The following Auth0 Authentication API endpoints return rate limit-related headers:

Endpoint Scope GET POST
User Profile Per User ID (GET), Per IP (POST) /userinfo /tokeninfo
Delegated Authentication Per User ID per IP /delegation
Database and Active Directory / LDAP Authentication Per User ID Per IP /dbconnections/change_password