Auth0 Management API Throttling

per.kristensen · May 31, 2022, 10:23am

We are having big problems with the Auth0 management API throttling. Are there any plans to increase the number of API calls permitted pr second (both in production and development environments)?

In order to fascilitate quite complex user access management (users have access to certain features on a specific customer/location with specific read or readwrite access rights), we have created our own backend/frontend for setting these. However, when changes are made that affect multiple users, it can take forever to update the user access rights in Auth0 (through management api calls). Only two calls are allowed pr second in development environment (with a couple of hundred users affected it takes many minutes to complete the operation), and also in production the throttling can make things very slow.

rueben.tiow · May 31, 2022, 10:04pm

Hi @per.kristensen,

Welcome to the Auth0 Community!

Unfortunately, there are no plans to increase the number of API calls for either Production or Development Environments.

Most of the time, Rate-Limits can be circumvented by revising your current architecture and design. In this situation, I suggest reaching out to your Technical Account Manager (TAM) to discuss your options.

In the meantime, please see the following FAQ on How to tell if you are approaching the Rate-Limit.

Please let me know if you have any further questions.

Thank you.

per.kristensen · June 1, 2022, 6:35am

Hi Rueben,

Thanks for quick reply!

Unfortunately there is no easy fix on this from our side. The essential problem is that you need to make one call pr user. When a change affecting hundreds of users have occurred, this will inevitably take a lot of time. With a simpler setup for the access rights, roles could potentially have solved the issue. This is however not an alternative for us as the number of access permutations would mean thousands of different roles.

On your side it should not make much difference if the limits are increased. The number of calls will be the same anyway (just distributed over longer time for one of users). Since you probably have lots of users (i.e. company customers), you will anyway have a relatively steady load over time.

Thank you.

rueben.tiow · June 3, 2022, 4:41pm

Hi @per.kristensen,

Thank you for your reply and clarification.

I understand that you are bulk updating users which require one call per user when using the Management API.

Unfortunately, my best recommendation would be to:

Perform a bulk update by first exporting your users, and then bulk importing them with the new information (e.x user_metadata) with upsert: true. This way you only make one Management API call for exporting and importing.
Alternatively, you could consider using a Post-Login Action to update the users programmatically as they log in. For example. And then writing a second Action that would determine the user’s access rights. You would have to write the Actions asynchronously since Actions batch requests.
Lastly, if possible, you should attempt to reduce the update frequency in your current implementation so that it is within the sustained request per second for the Update a User endpoint.

Hoped this helps!

Please let me know if there’s anything else I can do to help.

Thank you.