Management API Endpoint Rate Limits

Effective Date: 19 May 2020

The rate limits for this API differ depending on whether your tenant is free or paid, production or not.

Tenant Type Requests per Second Bursts per Minute (Peak)
Free or Trial 10 120
Self Service (Paid) 50 1000
Enterprise (Production) 50 1000
Enterprise (Non-production) 2 10

The rate limits include calls made via Rules and are set by tenant and not by endpoint. Each endpoint is configured with a bucket that defines request limit and the rate limit window (per second, per minute, per day, etc.).

bucket:
    size: x
    per_minute: y

For example, the above states that, for the given bucket, there is a maximum request limit of x per minute, and for each minute that elapses, permissions for y requests are added back. In other words, for each 60/y seconds, one additional request is added to the bucket. This occurs automatically until the bucket contains the maximum permitted number of requests.

For some API endpoints, the rate limits are defined per bucket, so the origins of the call do not influence the rate limit changes. For other buckets, the rate limits are defined using different keys, so the originating IP address is considered when counting the number of received API calls.

If you are using an API endpoint not listed below and you receive rate limit headers as part of your response, see Attack Protection for more information.

The following Auth0 Management API endpoints return rate limit-related headers. For additional information about these endpoints, please consult the Management API explorer.

Enterprise and Startup subscription limits

Endpoint Group Path Rate Limit (per second) Rate Limit (per minute)
Read organizations GET /api/v2/organizations 10 100
GET /api/v2/organizations/{id}
Read user's organizations GET /api/v2/users/{id}/organizations 40 500
Get organization by name GET /api/v2/organizations/name/{name} 20 200
Write organizations POST /api/v2/organizations 5 150
PATCH /api/v2/organizations/{id} 5 150
DELETE /api/v2/organizations/{id} 5 150
Read organization members GET /api/v2/organizations/{id}/members 40 500
GET /api/v2/organizations/{id}/invitations 40 500
Write organization members POST /api/v2/organizations/{id}/members 20 200
POST /api/v2/organizations/{id}/invitations 20 200
DELETE /api/v2/organizations/{id}/members 20 200
DELETE /api/v2/organizations/{id}/invitations/{invitation_id} 20 200
Read organization member invitation GET /api/v2/organizations/{id}/invitations/{invitation_id} 20 200
Read organization member roles GET /api/v2/organizations/{id}/members/{user_id}/roles 20 200
Write organization member roles POST /api/v2/organizations/{id}/members/{user_id}/roles 20 200
DELETE /api/v2/organizations/{id}/members/{user_id}/roles 20 200
Read organization connections GET /api/v2/organizations/{id}/enabled_connections/ 10 100
GET /api/v2/organizations/{id}/enabled_connections/{connection_id} 10 100
Write organization connections POST /api/v2/organizations/{id}/enabled_connections 5 150
PATCH /api/v2/organizations/{id}/enabled_connections/{connection_id} 5 150
DELETE /api/v2/organizations/{id}/enabled_connections 5 150

Self-service subscription limits

Endpoint Group Path Rate Limit (per second) Rate Limit (per minute)
Read users GET /api/v2/users 40 500
GET /api/v2/users-by-email
GET /api/v2/users/{id}
Write users POST /api/v2/users 20 200
POST /api/v2/users/{id}/identities
PATCH /api/v2/users/{id}
DELETE /api/v2/connections/{id}/users
DELETE /api/v2/users/{id}/identities/{provider}/{user_id}
DELETE /api/v2/users/{id}
Read logs GET /api/v2/logs 10 100
GET /api/v2/logs/{id}
GET /api/v2/users/{id}/logs
Read clients GET /api/v2/clients 5 100
GET /api/v2/clients/{id}
Read connections GET /api/v2/connections 10 100
GET /api/v2/connections/{id}
Write device credentials POST /api/v2/device-credentials 5 100
DELETE /api/v2/device-credentials/{id}
All other endpoints combined 10 150

Endpoint limits for all subscriptions

Endpoint Path Rate Limit (per second) Rate Limit (per minute) Rate Limit (per day)
Verify custom domain POST /api/v2/custom-domains{id}/verify n/a 5 n/a
Register dynamic client POST /oidc/register 5 n/a n/a
Read connection status GET /api/v2/connections/{id}/status 15 n/a n/a
Rotate signing keys POST /api/v2/keys/signing/rotate n/a n/a 5

Concurrent import users job limits

The create import users job endpoint has a limit of 2 concurrent import jobs. If you request additional jobs while there are 2 pending returns, the following response occurs:

{
  "statusCode": 429,
  "error": "Too Many Requests",
  "message": "There are 2 active import users jobs, please wait until some of them are finished and try again
}

Access token limits for single-page applications

If you obtain access tokens for your single-page applications (SPAs), there are rate limits that are applicable when working with the available current_user-related scopes and endpoints. You are allowed a maximum of 10 requests per minute per user.

Learn more