Rate Limit Policy
Effective Date: 18 June 2020
Actions such as rapidly updating configuration settings, aggressive polling, or making highly concurrent API calls may result in your app being rate limited.
Auth0's rate limits vary based on the tenant type you have. The tenants that have no credit card associated in the Dashboard are free. There are also variations in terms of paid tenant types (e.g., non-production, production). To set an environment for your tenant (development, staging or production), go to Dashboard > Settings > General, find the Environment Tag section, set the environment type, and save changes.
API endpoint limits
To ensure the quality of Auth0's services, the Auth0 APIs are subject to rate limiting. Depending on the API endpoint, the request limit and the rate limit window in which the request limit resets, varies.
Using the Management API for free and trial tenants is restricted to 2 requests per second (with bursts of up to 10 requests). Exceeding these values triggers an HTTP 429 (Too Many Requests) response, but the error message states, "Global limit has been reached." These are in addition to those indicated in the rate limit response headers.
If your app triggers the rate limit, please refrain from making additional requests until the appropriate amount of time has elapsed.
To learn more each endpoint limitation, read Management API Endpoints and Authentication API Endpoints.
Limits for Private Cloud Customers
Private Cloud customers rate limits depend on the service tier. Refer to the Management API and Authentication API rate limit policies for Private Cloud.
Review HTTP response headers
Auth0 reserves the right to modify the rate limits at any time. For the up-to-date information on rate limits, you can review the HTTP response headers returned from rate-limited endpoints.
API requests to selected Authentication or Management API endpoints will return HTTP response headers that provide relevant data on the current status of your rate limits for that endpoint. If you receive a rate limit-related response header, it will include numeric information detailing your status.
x-ratelimit-limit: The maximum number of requests available in the current time frame.
x-ratelimit-remaining: The number of remaining requests in the current time frame.
x-ratelimit-reset: A UNIX timestamp of the expected time when the rate limit will reset.
Handle rates limitations in code
You should add logic to handle cases in which you exceed the provided rate limits and receive the HTTP Status Code 429 (Too Many Requests). In this case, if a retry is needed, it is best to allow for a back-off to avoid going into an infinite retry loop.
For scripts and rules that call Auth0 APIs, you should always handle rate limiting by checking the x
-ratelimit-remaining header and acting appropriately when the number returned nears 0.
Database login limits
For database connections, Auth0 limits certain types of repeat login attempts depending on the user account and IP address. To learn more, read Rate Limits on User/Password Authentication.
SMS message limits for multi-factor authentication
If you attempt to send more than ten SMS messages to your device within one hour, you will receive an error message about a rate limit exception.
When you exceed your messaging limit, you'll need to wait at least an hour after your request for your first message before requesting another. You will receive an additional attempt after the passage of each additional hour.
Native social login limits
Limits are only applied to requests related to the Native Social Login flows, which are identified based on the body of the requests with the following initial criteria:
Limits for production tenants of paying customers
|Endpoint||Path||Limited By||Rate Limit|
||Any native social login request||50 per minute with bursts up to 500 requests|
Limits for non-production tenants of paying customers and all tenants of free customers
|Endpoint||Path||Limited By||Rate Limit|
||Native social login requests and IP||30 per minute|