Private Cloud Performance 6000 RPS (60x) and 6000 RPS (60x) Burst
See below for the rate limits in the Private Cloud Performance 6000 RPS (60x) and 6000 RPS (60x) Burst subscription types.
Therefore, we recommend deploying one tenant per private cloud environment for risk mitigation.
Authentication API
Rate limits for the Authentication API, API endpoints, and API endpoint groups in the Private Cloud Performance 6000 RPS (60x) subscription type.
| API | Burst Request Limit | Sustained Request Limit | Peak Request Limit |
|---|---|---|---|
| Authentication API | 6000 | 6000/second | N/A |
| Authentication API (60x Burst) | 3000 | 3000/second | 6000 Burst; 6000/second sustained |
| Endpoint | Method | Burst Request Limit | Sustained Request Limit | Limit Type |
|---|---|---|---|---|
| User Info | GET, POST |
10 | 5/minute | To a unique User ID |
| Change Password Reset Password with Universal Login |
POST |
10 | 1/minute | From an IP Address to a unique Email Address |
| Signup* | POST |
50 | 50/minute | From an IP Address |
| Get Passwordless Code or Link | GET, POST |
50 | 50/hour | From an IP Address |
| Native Social Login (Apple / Facebook Only) | POST |
50 | 500/minute | Any Request for Apple or Facebook Native Social Login |
| Dynamic Application (Client) Registration | POST |
5 | 5/second | Any request |
| Universal Logout | POST |
1500 | 1500/second | Any request |
| Pushed Authorization Requests (PAR) | POST |
100 | 100/second | From an IP Address |
| Back-Channel authorize (CIBA) | POST |
500 | 500/minute | From an IP Address |
| Device code activation (no prompt) | POST |
30 | 6/second | From an IP Address |
| Device code authorization | POST |
5 | 5/second | From an IP Address |
| MFA OOB token exchange | POST |
12 | 12/minute | To a unique session |
Management API
Rate limits for the Management API, API endpoints, and API endpoint groups in the Private Cloud Performance 6000 RPS (60x) subscription type.
| API | Burst Request Limit | Sustained Request Limit |
|---|---|---|
| Management API | 3000 | 3000/second |
| Endpoint | Method | Burst Request Limit | Sustained Request Limit | Limit Type |
|---|---|---|---|---|
| Get Organizations | GET |
600 | 6000/minute | Any request |
| Get Organizations by ID | GET |
600 | 30000/minute | Any request |
| Get Organizations by Name | GET |
1200 | 12000/minute | Any request |
| Create an Organization | POST, PATCH, DELETE |
300 | 9000/minute | Any request |
| Get Organization Members | GET |
2400 | 30000/minute | Any request |
| Add Organization Members | POST, DELETE |
1200 | 12000/minute | Any request |
| Get Members of an Organization | GET |
1200 | 12000/minute | Any request |
| Get Organization Member Roles | GET |
1200 | 12000/minute | Any request |
| Create Organization Member Roles | POST, DELETE |
1200 | 12000/minute | Any request |
| Get Organization Connections | GET |
600 | 6000/minute | Any request |
| Create Organization Connections | POST, PATCH, DELETE |
300 | 9000/minute | Any request |
| Verify Custom Domain | POST |
5 | 5/minute | Any request |
| Get Status Connection | POST |
100 | 15/second | Any request |
| Rotate Signing Keys | POST |
5 | 5/day | Any request |
| Get Partials for a Prompt | GET |
5 | 5/minute | Any request |
| Create Partials for a Prompt | PUT |
5 | 5/minute | Any request |
| Get Clients
|
GET |
300 | 9000/minute | Any request |
| Get Organization Client Grants | GET |
600 | 6000/minute | Any request |
| Create Organization Client Grants | POST |
300 | 9000/minute | Any request |
SCIM API
Rate limits for the inbound SCIM API endpoints in the Private Cloud Performance 6000 RPS (60x) subscription type.
| Limit Type | Endpoint Path | Operation | Limit |
|---|---|---|---|
| Single SCIM connection endpoint | /scim/v2/connections/{connection-id} |
Any request | 25 requests per second |
| Global tenant limit for all SCIM connections | /scim/v2/connections/* |
Any request | 3000 requests per second |
Universal Login Flow Endpoints
Rate limits for the endpoints utilized for the Universal Login Authentication Flow for all subscription types.
| Endpoint | Method | Burst Request Limit | Sustained Request Limit | Limit Type |
|---|---|---|---|---|
| Universal login prompts (global) | GET, POST |
500 | 500/minute | From an IP Address |
| Universal login prompts (per prompt) | GET |
20 | 10/minute | From an IP Address |
| Universal login prompts (per prompt) | POST |
10 | 5/minute | From an IP Address |
| Password reset prompt | GET |
500 | 500/minute | From an IP Address |
| MFA push enrollment prompt | GET, POST |
500 | 500/minute | From an IP Address |
| MFA push challenge prompt | GET, POST |
500 | 500/minute | From an IP Address |
| MFA SMS enrollment prompt | GET |
20 | 10/minute | From an IP Address |
| MFA SMS enrollment prompt | POST |
10 | 5/minute | From an IP Address |
| MFA SMS enrollment verify prompt | GET |
20 | 10/minute | From an IP Address |
| MFA SMS enrollment verify prompt | POST |
10 | 5/minute | From an IP Address |
| Passwordless SMS challenge prompt | GET, POST |
5 | 5/minute | From an IP Address |
| Passwordless email challenge prompt | GET, POST |
5 | 5/minute | From an IP Address |
| Phone verification enrollment prompt | GET, POST |
5 | 5/minute | From an IP Address |
| Phone verification challenge prompt | GET, POST |
5 | 5/minute | From an IP Address |
| Device code prompt | GET, POST |
5 | 5/second | From an IP Address |
Additional MFA rate limits.
Additional MFA rate limits.
| Endpoint | Burst Request Limit | Sustained Request Limit | Limit Type | Limit |
|---|---|---|---|---|
| OTP (6 numeric digits) failures | 10 | 10 | per hour | To a unique User ID |
| Recovery code failures | 10 | 10 | per hour | To a unique User ID |
| Webauthn challenge failures | 15 | 15 | per minute | To a unique User ID |
| Webauthn challenge generated | 15 | 15 | per minute | To a unique User ID |
| Push notifications sent per user | 5 | 5 | per minute | To a unique User ID |
| SMS sent per user | 10 | 1 | per hour | To a unique User ID |
| Email sent per user | 20 | 1 | per minute | To a unique User ID |