I am building a RESTful API using Auth0 as our authentication method. However, I am running into rate limiting, even after converting to a paid plan and setting our tenant environment to “production”.
Currently, I expect anyone calling my API to pass the (non-JWT) token we get from a successful Auth0 login. I then pass that token to https://OURCOMPANY.auth0.com/userinfo to make sure this is an existing user, and use the subject from userinfo’s response to match the Auth0 user to a user in our database.
The problem is that I am being rate-limited after around 10 rapid requests, which routinely happens when I run a suite of regression tests which hits my api several times in the space of a second or two, which in turn repeatedly calls /userinfo to make sure I have a authed user each time.
I understand that developers are expected, generally, to decode the JWT token and manually validate its claims. However, what if the user has been deleted or blocked since then? Is there any way to query back to Auth0 on a regular basis to make sure the user remains valid?