Management API Endpoint Rate Limits

Management API Endpoint Rate Limits

Effective Date: 19 May 2020

The rate limits for this API differ depending on whether your tenant is free or paid, and whether your tenant is tagged as production or not. For more information on environment tags, read Set Up Multiple Environments.

Tenant Type Sustained Requests per Second
Free or Trial (Production) 2
Free or Trial (Non-production) <1
Self Service (Production) 16
Self Service (Non-production) <1
Enterprise (Production) 16
Enterprise (Non-production) <1

There is burst capability built into the limits so if traffic briefly exceeds the sustained rate limits it will not be limited. See Understand Rate Limits Burst Capability for details on rate limit behavior when the sustained limits are exceeded.  The rate limits include calls made via Rules and are set by tenant and not by endpoint. Each endpoint is configured with a bucket that defines request limit and the rate limit window (per second, per minute, per day, etc.).

For some API endpoints, the rate limits are defined per bucket, so the origins of the call do not influence the rate limit changes. For other buckets, the rate limits are defined using different keys, so the originating IP address is considered when counting the number of received API calls.

If you are using an API endpoint not listed below and you receive rate limit headers as part of your response, see Attack Protection for more information.

The following Auth0 Management API endpoints return rate limit-related headers. For additional information about these endpoints, please consult the Management API explorer.

Enterprise and Startup subscription limits

Most endpoints are rate limited to 50 rps (requests per second) and 1000 rpm (requests per minute). Endpoints with additional rate limits are documented below:

Endpoint Group Path Rate Limit (per second) Rate Limit (per minute)
Read organizations GET /api/v2/organizations 10 100
GET /api/v2/organizations/{id}
Read user's organizations GET /api/v2/users/{id}/organizations 40 500
Get organization by name GET /api/v2/organizations/name/{name} 20 200
Write organizations POST /api/v2/organizations 5 150
PATCH /api/v2/organizations/{id} 5 150
DELETE /api/v2/organizations/{id} 5 150
Read organization members GET /api/v2/organizations/{id}/members 40 500
GET /api/v2/organizations/{id}/invitations 40 500
Write organization members POST /api/v2/organizations/{id}/members 20 200
POST /api/v2/organizations/{id}/invitations 20 200
DELETE /api/v2/organizations/{id}/members 20 200
DELETE /api/v2/organizations/{id}/invitations/{invitation_id} 20 200
Read organization member invitation GET /api/v2/organizations/{id}/invitations/{invitation_id} 20 200
Read organization member roles GET /api/v2/organizations/{id}/members/{user_id}/roles 20 200
Write organization member roles POST /api/v2/organizations/{id}/members/{user_id}/roles 20 200
DELETE /api/v2/organizations/{id}/members/{user_id}/roles 20 200
Read organization connections GET /api/v2/organizations/{id}/enabled_connections/ 10 100
GET /api/v2/organizations/{id}/enabled_connections/{connection_id} 10 100
Write organization connections POST /api/v2/organizations/{id}/enabled_connections 5 150
PATCH /api/v2/organizations/{id}/enabled_connections/{connection_id} 5 150
DELETE /api/v2/organizations/{id}/enabled_connections 5 150

Self-service subscription limits

Endpoint Group Path Rate Limit (per second) Rate Limit (per minute)
Read users GET /api/v2/users 40 500
GET /api/v2/users-by-email
GET /api/v2/users/{id}
Write users POST /api/v2/users 20 200
POST /api/v2/users/{id}/identities
PATCH /api/v2/users/{id}
DELETE /api/v2/connections/{id}/users
DELETE /api/v2/users/{id}/identities/{provider}/{user_id}
DELETE /api/v2/users/{id}
Read logs GET /api/v2/logs 10 100
GET /api/v2/logs/{id}
GET /api/v2/users/{id}/logs
Read clients GET /api/v2/clients 5 100
GET /api/v2/clients/{id}
Read connections GET /api/v2/connections 10 100
GET /api/v2/connections/{id}
Write device credentials POST /api/v2/device-credentials 5 100
DELETE /api/v2/device-credentials/{id}
All other endpoints combined 10 150

Endpoint limits for all subscriptions

Endpoint Path Rate Limit (per second) Rate Limit (per minute) Rate Limit (per day)
Verify custom domain POST /api/v2/custom-domains{id}/verify n/a 5 n/a
Register dynamic client POST /oidc/register 5 n/a n/a
Read connection status GET /api/v2/connections/{id}/status 15 n/a n/a
Rotate signing keys POST /api/v2/keys/signing/rotate n/a n/a 5

Concurrent import users job limits

The create import users job endpoint has a limit of 2 concurrent import jobs. If you request additional jobs while there are 2 pending returns, the following response occurs:

  "statusCode": 429,
  "error": "Too Many Requests",
  "message": "There are 2 active import users jobs, please wait until some of them are finished and try again

Was this helpful?


Access token limits for single-page applications

If you obtain access tokens for your single-page applications (SPAs), there are rate limits that are applicable when working with the available current_user-related scopes and endpoints. You are allowed a maximum of 10 requests per minute per user.

Private Cloud rate limit policies

Private Cloud customer rate limits are specific to your service tier. All values are measured in Requests per Second.

API Basic Performance Performance Plus
Management API Prod 50 250 750
Management API Dev 25 125 375
Tenant Per Minutes 3000 15000 45000

Private cloud has different global limits for the Management API, all service specific enterprise rate limits still apply.

Learn more