Rate Limit Policy For Auth0 APIs
To ensure the quality of Auth0's services, the Auth0 APIs are subject to rate limiting.
Depending on the API endpoint, the request limit and the rate limit window in which the request limit resets, varies.
Each endpoint is configured with a bucket that defines:
- the request limit, and
- the rate limit window (per second, per minute, per hour, and so on)
For example, the above states that, for the given bucket, there is a maximum request limit of
x per minute, and for each minute that elapses, permissions for
y requests are added back. In other words, for each
60 / y seconds, one additional request is added to the bucket. This occurs automatically until the bucket contains the maximum permitted number of requests.
Exceeding the Rate Limit
If you exceed the provided rate limit for a given API endpoint, you will receive a response with HTTP Status Code 429 (Too Many Requests). You can refer to the HTTP Response Headers for more information on the rate limits applicable to that endpoint.
Actions such as rapidly updating configuration settings, aggressive polling, or making highly concurrent API calls may result in your app being rate limited.
If your app triggers the rate limit, please refrain from making additional requests until the appropriate amount of time has elapsed.
HTTP Response Headers
API requests to selected Authentication or Management API endpoints will return HTTP Response Headers that provide relevant data on the current status of your rate limits for that endpoint. If you receive a rate limit-related response header, it will include numeric information detailing your status.
- X-RateLimit-Limit: The maximum number of requests available in the current time frame.
- X-RateLimit-Remaining: The number of remaining requests in the current time frame.
- X-RateLimit-Reset: A UNIX timestamp of the expected time when the rate limit will reset.
Endpoints with Rate Limits
Management API v2
The rate limits for this API differ depending on whether your tenant is free or paid, production or not.
The following rate limits apply:
- For all free tenants, usage of the Management API is restricted to 2 requests per second (and bursts up to 10 requests).
- For non-production tenants of enterprise customers, usage of the Management API is restricted to 2 requests per second (and bursts up to 10 requests).
- For paid tenants, usage of the Management API is restricted to 15 requests per second (and bursts up to 50 requests).
The aforementioned rate limits include calls made via Rules.
Note, that the limit is set by tenant and not by endpoint.
The following Auth0 Management API endpoints return rate limit-related headers. For additional information about these endpoints, please consult the Management API explorer.
The following Auth0 Authentication API endpoints return rate limit-related headers.
|Endpoint||Path||Limited By||Affected Tenants||Rate Limit|
|Authentication and authorization||/authorize||IP||Non-Free (*)||500 requests per minute|
|(any request)||Free (*)||300 requests per minute|
|Session||All||10 requests per second|
|User Profile||/tokeninfo (legacy)||IP||All||800 requests per minute|
|/userinfo||User ID||All||5 requests per minute with bursts of up to 10 requests|
|Delegated Authentication (legacy)||/delegation||User ID and IP||All||1 request per minute with bursts of up to 10 requests|
|(any request)||Free (*)||10 requests per second|
|Change Password||/dbconnections/change_password||User Email and IP||All||1 request per minute with bursts of up to 10 requests|
|Get Passwordless Code or Link||/passwordless/start||IP||All||50 requests per hour|
|Get Token||/oauth/token||(any request)||Free||30 requests per second|
|Cross Origin Authentication||/co/authenticate||(any request)||Free||5 requests per second|
|Authentication||/usernamepassword/login||(any request)||Free||5 requests per second|
|Resource Owner (legacy)||/oauth/ro||(any request)||Free||10 requests per second|
|JSON Web Token Keys||/.well-known/jwks.json||(any request)||Free||20 requests per second|
Limits on Database Logins
For database connections, Auth0 limits certain types of repeat login attempts depending on the user account and IP address. For more information, see Rate Limits on User/Password Authentication.
Limits on SMS Messages for MFA
There's a limit of 10 SMS messages/hour per user for multi-factor authentication. For more information, see Configuring Twilio for Guardian SMS.