Self Service
See below for the rate limit policies for the Self service subscription type.
Authentication API
Rate Limits for the Authentication API and API Endpoints in the Self service subscription type.
| API | Burst Request Limit | Sustained Request Limit |
|---|---|---|
| Authentication API | 25 | 25/second |
| Endpoint | Method | Burst Request Limit | Sustained Request Limit | Limit Type |
|---|---|---|---|---|
| User Info | GET, POST |
10 | 5/minute | To a unique User ID |
| Change Password Reset Password with Universal Login |
POST |
10 | 1/minute | From an IP Address to a unique Email Address |
| Get Passwordless Code or Link | GET, POST |
50 | 50/hour | From an IP Address |
| Native Social Login (Apple / Facebook Only) | POST |
50 | 500/minute | Any Request for Apple or Facebook Native Social Login |
| Dynamic Application (Client) Registration | POST |
5 | 5/second | Any request |
| Universal Logout | POST |
35 | 35/second | Any request |
| Pushed Authorization Requests (PAR) | POST |
100 | 100/second | From an IP Address |
| Back-Channel authorize (CIBA) | POST |
500 | 500/minute | From an IP Address |
| Device code activation (no prompt) | POST |
30 | 6/second | From an IP Address |
| Device code authorization | POST |
5 | 5/second | From an IP Address |
| MFA OOB token exchange | POST |
12 | 12/minute | To a unique session |
Management API
Rate Limits for the Management API, API Endpoints, and API Endpoint Groups in the Self service subscription type.
| Endpoint | Method | Burst Request Limit | Sustained Request Limit | Limit Type |
|---|---|---|---|---|
| Get Organizations | GET |
5 | 50/minute | Any request |
| Get Organizations by ID | GET |
20 | 200/minute | Any request |
| Get Organizations by Name | GET |
10 | 100/minute | Any request |
| Create an Organization | POST, PATCH, DELETE |
5 | 25/minute | Any request |
| Get Organization Members | GET |
40 | 500/minute | Any request |
| Add Organization Members | POST, DELETE |
20 | 200/minute | Any request |
| Get Members of an Organization | GET |
20 | 200/minute | Any request |
| Get Organization Member Roles | GET |
20 | 200/minute | Any request |
| Create Organization Member Roles | POST, DELETE |
20 | 200/minute | Any request |
| Get Organization Connections | GET |
5 | 50/minute | Any request |
| Create Organization Connections | POST, PATCH, DELETE |
5 | 25/minute | Any request |
| Get Users | GET |
40 | 500/minute | Any request |
| Create Users | POST, PATCH |
20 | 200/minute | Any request |
| Delete Users | DELETE |
20 | 200/minute | Any request |
| Get Logs | GET |
10 | 100/minute | Any request |
| Get Clients | GET |
5 | 100/minute | Any request |
| Get Connections | GET |
5 | 50/minute | Any request |
| Create Device Credentials | POST, DELETE |
5 | 100/minute | Any request |
| Verify Custom Domain | POST |
5 | 5/minute | Any request |
| Get Status Connection | GET |
100 | 15/second | Any request |
| Rotate Signing Keys | POST |
5 | 5/day | Any request |
| Get Partials for a Prompt | GET |
5 | 5/minute | Any request |
| Create Partials for a Prompt | PUT |
5 | 5/minute | Any request |
| Get Clients
|
GET |
5 | 150/minute | Any request |
| Get Organization Client Grants | GET |
10 | 100/minute | Any request |
| Create Organization Client Grants | POST |
5 | 150/minute | Any request |
| Configure email templates | POST, PATCH, DELETE |
5 | 25/minute | Any request |
| Read email templates | GET |
10 | 50/minute | Any request |
| Configure email provider | POST, PATCH, DELETE |
5 | 25/minute | Any request |
| Read email provider | GET |
5 | 25/minute | Any request |
| All other Endpoints Combined | N/A | 10 | 150/minute | Any request |
SCIM API
Rate limits for the inbound SCIM API endpoints in Public cloud subscriptions that include Enterprise connections.
| Limit Type | Endpoint Path | Operation | Limit |
|---|---|---|---|
| Single SCIM connection endpoint | /scim/v2/connections/{connection-id} |
Any request | 25 requests per second |
| Global tenant limit for all SCIM connections | /scim/v2/connections/* |
Any request | 100 requests per second |
Universal Login Flow Endpoints
Rate limits for the endpoints utilized for the Universal Login Authentication Flow for all subscription types.
| Endpoint | Method | Burst Request Limit | Sustained Request Limit | Limit Type |
|---|---|---|---|---|
| Universal login prompts (global) | GET, POST |
500 | 500/minute | From an IP Address |
| Universal login prompts (per prompt) | GET |
20 | 10/minute | From an IP Address |
| Universal login prompts (per prompt) | POST |
10 | 5/minute | From an IP Address |
| Password reset prompt | GET |
500 | 500/minute | From an IP Address |
| MFA push enrollment prompt | GET, POST |
500 | 500/minute | From an IP Address |
| MFA push challenge prompt | GET, POST |
500 | 500/minute | From an IP Address |
| MFA SMS enrollment prompt | GET |
20 | 10/minute | From an IP Address |
| MFA SMS enrollment prompt | POST |
10 | 5/minute | From an IP Address |
| MFA SMS enrollment verify prompt | GET |
20 | 10/minute | From an IP Address |
| MFA SMS enrollment verify prompt | POST |
10 | 5/minute | From an IP Address |
| Passwordless SMS challenge prompt | GET, POST |
5 | 5/minute | From an IP Address |
| Passwordless email challenge prompt | GET, POST |
5 | 5/minute | From an IP Address |
| Phone verification enrollment prompt | GET, POST |
5 | 5/minute | From an IP Address |
| Phone verification challenge prompt | GET, POST |
5 | 5/minute | From an IP Address |
| Device code prompt | GET, POST |
5 | 5/second | From an IP Address |
Additional MFA rate limits.
Additional MFA rate limits.
| Endpoint | Burst Request Limit | Sustained Request Limit | Limit Type | Limit |
|---|---|---|---|---|
| OTP (6 numeric digits) failures | 10 | 10 | per hour | To a unique User ID |
| Recovery code failures | 10 | 10 | per hour | To a unique User ID |
| Webauthn challenge failures | 15 | 15 | per minute | To a unique User ID |
| Webauthn challenge generated | 15 | 15 | per minute | To a unique User ID |
| Push notifications sent per user | 5 | 5 | per minute | To a unique User ID |
| SMS sent per user | 10 | 1 | per hour | To a unique User ID |
| Email sent per user | 20 | 1 | per minute | To a unique User ID |