Rate Limit Policy For Auth0 APIs

To ensure the quality of Auth0's services, the Auth0 APIs are subject to rate limiting.

Auth0 reserves the right to modify the rate limits at any time. For the up-to-date information on rate limits, please review the headers returned from rate limited endpoints.

Limits

Depending on the API endpoint, the request limit and the rate limit window in which the request limit resets, varies.

Each endpoint is configured with a bucket that defines:

  • the request limit, and
  • the rate limit window (per second, per minute, per hour, and so on)
bucket:
    size: x
    per_minute: y

For example, the above states that, for the given bucket, there is a maximum request limit of x per minute, and for each minute that elapses, permissions for y requests are added back. In other words, for each 60 / y seconds, one additional request is added to the bucket. This occurs automatically until the bucket contains the maximum permitted number of requests.

For some API endpoints, the rate limits are defined per bucket, so the origins of the call do not influence the rate limit changes. For other buckets, the rate limits are defined using different keys, so the originating IP address is considered when counting the number of received API calls.

Exceeding the Rate Limit

If you exceed the provided rate limit for a given API endpoint, you will receive a response with HTTP Status Code 429 (Too Many Requests). You can refer to the HTTP Response Headers for more information on the rate limits applicable to that endpoint.

Actions such as rapidly updating configuration settings, aggressive polling, or making highy concurrent API calls may result in your app being rate limited.

If your app triggers the rate limit, please refrain from making additional requests until the appropriate amount of time has elapsed.

HTTP Response Headers

API requests to selected Authentication or Management API endpoints will return HTTP Response Headers that provide relevant data on the current status of your rate limits for that endpoint. If you receive a rate limit-related response header, it will include numeric information detailing your status.

  • X-RateLimit-Limit: The maximum number of requests available in the current time frame.
  • X-RateLimit-Remaining: The number of remaining requests in the current time frame.
  • X-RateLimit-Reset: A UNIX timestamp of the expected time when the rate limit will reset.

Endpoints with Rate Limits

If you are using an API endpoint not listed below and you receive rate limit headers as part of your response, please see the page on Anomaly Detection for additional information.

Management API v2

The rate limits for this API defer depending on whether your tenant is free or paid, production or not.

  • The tenants that have no credit card associated in the Dashboard are free.
  • To set an environment for your tenant (development, staging or production), go to Support Center > Tenants, find your tenant, select Assign Environment Tag, set the environment and save changes.

The following rate limits apply:

  • For all free tenants, usage of the Management API is restricted to 2 requests per second (and bursts up to 10 requests).
  • For non-production tenants of enterprise customers, usage of the Management API is restricted to 2 requests per second (and bursts up to 10 requests).
  • For paid tenants, usage of the Management API is restricted to 15 requests per second (and bursts up to 50 requests).

The aforementioned rate limits include calls made via Rules.

Note, that the limit is set by tenant and not by endpoint.

The following Auth0 Management API endpoints return rate limit-related headers. For additional information about these endpoints, please consult the Management API explorer.

Endpoint GET POST DELETE PATCH
Application Grants /client-grants /client-grants /client-grants/{id} /client-grants/{id}
Applications /client
/client/{id}
/client /client/{id} /client/{id}
Connections /connections
/connections/{id}
/connections /connections/{id}
/connections/{id}/users
/connections/{id}
Device Credentials /device-credentials /device-credentials /device-credentials/{id}
Logs /logs
/log/{id}
Rules /rules
/rules/{id}
/rules /rules/{id} /rules/{id}
User Blocks /user-blocks
/user-blocks/{id}
/user-blocks
/user-blocks/{id}
Users /users
/users/{id}
/users/{id}/logs
/users/{id}/enrollments
/users
/users/{id}/identities
/users/{id}
/users/{id}/identities
/users/{id}/multifactor/{provider}
/users/{id}
Emails /emails/provider /emails/provider /emails/provider
Jobs /jobs/{id}
/jobs/{id}/errors
/jobs/verification-email
/jobs/users-imports
Resource Servers /resource-servers
/resource-servers/{id}
/resource-servers /resource-servers/{id} /resource-servers/{id}
Stats /stats/active-users
/stats/daily
Tenants /tenants/settings /tenants/settings

Authentication API

The following Auth0 Authentication API endpoints return rate limit-related headers.

Endpoint Path Limited By Affected Tenants Rate Limit
User Profile /tokeninfo (legacy) IP All 800 requests per minute
/userinfo User ID All 5 requests per minute with bursts of up to 10 requests
Delegated Authentication (legacy) /delegation User ID and IP All 1 request per minute with bursts of up to 10 requests
(any request) Free (*) 10 requests per second
Change Password /dbconnections/change_password User ID and IP All 1 request per minute with bursts of up to 10 requests
Get Passwordless Code or Link /passwordless/start IP All 50 requests per hour
Get Token /oauth/token (any request) Free 30 requests per second
Cross Origin Authentication /co/authenticate (any request) Free 5 requests per second
Authentication /usernamepassword/login (any request) Free 5 requests per second
Resource Owner (legacy) /oauth/ro (any request) Free 10 requests per second
JSON Web Token Keys /.well-known/jwks.json (any request) Free 20 requests per second

(*) In all instances above, Free includes tenants on the Free plan, as well as the non-production tenants of enterprise customers.

Limits on Database Logins

For database connections Auth0 limits certain types of repeat login attempts depending on the user account and IP address. For more information, see Rate Limits on User/Password Authentication.