Self Service

See below for the rate limit policies for the Self service subscription type.

Authentication API

Rate Limits for the Authentication API and API Endpoints in the Self service subscription type.

API	Burst Request Limit	Sustained Request Limit
Authentication API	25	25/second

Endpoint	Method	Burst Request Limit	Sustained Request Limit	Limit Type
User Info	`GET`, `POST`	10	5/minute	To a unique User ID
Change Password Reset Password with Universal Login	`POST`	10	1/minute	From an IP Address to a unique Email Address
Signup*	`POST`	50	50/minute	From an IP Address
Get Passwordless Code or Link	`GET`, `POST`	50	50/hour	From an IP Address
Native Social Login (Apple / Facebook Only)	`POST`	50	500/minute	Any Request for Apple or Facebook Native Social Login
Dynamic Application (Client) Registration	`POST`	5	5/second	Any request
Universal Logout	`POST`	35	35/second	Any request
Pushed Authorization Requests (PAR)	`POST`	100	100/second	From an IP Address
Back-Channel authorize (CIBA)	`POST`	500	500/minute	From an IP Address
Device code activation (no prompt)	`POST`	30	6/second	From an IP Address
Device code authorization	`POST`	5	5/second	From an IP Address
MFA OOB token exchange	`POST`	12	12/minute	To a unique session

*Represents the default limit. You can configure the Signup endpoint limit in Auth0 Dashboard. To learn more, read Suspicious IP Throttling.

Management API

Rate Limits for the Management API, API Endpoints, and API Endpoint Groups in the Self service subscription type.

Endpoint	Method	Burst Request Limit	Sustained Request Limit	Limit Type
Get Organizations	`GET`	5	50/minute	Any request
Get Organizations by ID	`GET`	20	200/minute	Any request
Get Organizations by Name	`GET`	10	100/minute	Any request
Create an Organization	`POST`, `PATCH`, `DELETE`	5	25/minute	Any request
Get Organization Members	`GET`	40	500/minute	Any request
Add Organization Members	`POST`, `DELETE`	20	200/minute	Any request
Get Members of an Organization	`GET`	20	200/minute	Any request
Get Organization Member Roles	`GET`	20	200/minute	Any request
Create Organization Member Roles	`POST`, `DELETE`	20	200/minute	Any request
Get Organization Connections	`GET`	5	50/minute	Any request
Create Organization Connections	`POST`, `PATCH`, `DELETE`	5	25/minute	Any request
Get Users	`GET`	40	500/minute	Any request
Create Users	`POST`, `PATCH`	20	200/minute	Any request
Delete Users	`DELETE`	20	200/minute	Any request
Get Logs	`GET`	10	100/minute	Any request
Get Clients	`GET`	5	100/minute	Any request
Get Connections	`GET`	5	50/minute	Any request
Create Device Credentials	`POST`, `DELETE`	5	100/minute	Any request
Verify Custom Domain	`POST`	5	5/minute	Any request
Get Status Connection	`GET`	100	15/second	Any request
Rotate Signing Keys	`POST`	5	5/day	Any request
Get Partials for a Prompt	`GET`	5	5/minute	Any request
Create Partials for a Prompt	`PUT`	5	5/minute	Any request
Get Clients Only applies to the usage of the `q` parameter.	`GET`	5	150/minute	Any request
Get Organization Client Grants	`GET`	10	100/minute	Any request
Create Organization Client Grants	`POST`	5	150/minute	Any request
Configure email templates	`POST`, `PATCH`, `DELETE`	5	25/minute	Any request
Read email templates	`GET`	10	50/minute	Any request
Configure email provider	`POST`, `PATCH`, `DELETE`	5	25/minute	Any request
Read email provider	`GET`	5	25/minute	Any request
All other Endpoints Combined	N/A	10	150/minute	Any request

SCIM API

Rate limits for the inbound SCIM API endpoints in Public cloud subscriptions that include Enterprise connections.

Limit Type	Endpoint Path	Operation	Limit
Single SCIM connection endpoint	`/scim/v2/connections/{connection-id}`	Any request	25 requests per second
Global tenant limit for all SCIM connections	`/scim/v2/connections/*`	Any request	100 requests per second

Universal Login Flow Endpoints

Rate limits for the endpoints utilized for the Universal Login Authentication Flow for all subscription types.

Endpoint	Method	Burst Request Limit	Sustained Request Limit	Limit Type
Universal login prompts (global)	`GET`, `POST`	500	500/minute	From an IP Address
Universal login prompts (per prompt)	`GET`	20	10/minute	From an IP Address
Universal login prompts (per prompt)	`POST`	10	5/minute	From an IP Address
Password reset prompt	`GET`	500	500/minute	From an IP Address
MFA push enrollment prompt	`GET`, `POST`	500	500/minute	From an IP Address
MFA push challenge prompt	`GET`, `POST`	500	500/minute	From an IP Address
MFA SMS enrollment prompt	`GET`	20	10/minute	From an IP Address
MFA SMS enrollment prompt	`POST`	10	5/minute	From an IP Address
MFA SMS enrollment verify prompt	`GET`	20	10/minute	From an IP Address
MFA SMS enrollment verify prompt	`POST`	10	5/minute	From an IP Address
Passwordless SMS challenge prompt	`GET`, `POST`	5	5/minute	From an IP Address
Passwordless email challenge prompt	`GET`, `POST`	5	5/minute	From an IP Address
Phone verification enrollment prompt	`GET`, `POST`	5	5/minute	From an IP Address
Phone verification challenge prompt	`GET`, `POST`	5	5/minute	From an IP Address
Device code prompt	`GET`, `POST`	5	5/second	From an IP Address

Additional MFA rate limits.

Endpoint	Burst Request Limit	Sustained Request Limit	Limit Type	Limit
OTP (6 numeric digits) failures	10	10	per hour	To a unique User ID
Recovery code failures	10	10	per hour	To a unique User ID
Webauthn challenge failures	15	15	per minute	To a unique User ID
Webauthn challenge generated	15	15	per minute	To a unique User ID
Push notifications sent per user	5	5	per minute	To a unique User ID
SMS sent per user	10	1	per hour	To a unique User ID
Email sent per user	20	1	per minute	To a unique User ID

Troubleshoot

Self Service