Auth0 Rate Limit /oauth/token endpoint - Custom actions or Hooks

Hi Team,
We would like to have a custom action or hook to handle the number of token requests that is sent to Auth0. We dont want the other customers to be impacted because of one customer sending multiple requests to the token endpoint.

Any leads which i can look into ?

Can we use custom actions / hooks ? If yes, please help with some sample.

Hi @sudeesh,

Welcome back to the Auth0 Community!

A post login Action would be running after a successful authentication takes place. This means it wouldn’t necessarily prevent requests to the token endpoint. Are you running into a scenario where a single user is causing rate limit errors for your whole tenant?

This may fall under Attack Protection.

Hi @dan.woda,
Thanks for the details. It the client credentials token which we would like to limit before it hits the rate limit of auth0.

Are you concerned with the user hitting the Rate Limit Policy or the user using up your Token Quota?

In case, if one user is hitting the token endpoint continuously and if that reaches the rate limit, it will affect the other users also. So we want to have a limit set for a user to use the token generation endpoint with some limits.

Thanks for the added info.

The client should be caching tokens, and requesting +30 tokens/second in a single client would be quite unusual. You could simply revoke their credentials, have you considered this?

When there are multiple such clients, thats where we were thinking of having a way to reject or return 429 through custom action or hooks.

You can deny requests from M2M clients with the Machine to Machine Flow Action trigger.

This won’t necessarily prevent requests but will allow you to deny successful requests.

So If we deny the request, will it count for the Rate Limit ?

Apologies for the delay.

I reached out to the team on that question and found that incoming requests are counted before they are deemed successful or not.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.