Overview
During some login attempts, the following error is generated and displayed for the user:
invalid_request: You’ve exceeded the rate limit for /u/login/identifier. Please try again in a short while.
Cause
The rate limit exceeded for the authentication API. There are a few possibilities:
- Global limit exceeded
- Limit per transaction (tenant + session ID) exceeded
- Limit per IP exceeded
‘/u/login/identifier’ and other prompts are affected by the authentication API global limit.
Rate limits are on the Universal Login Prompts to ensure stability and consistency across the platform. The values that apply to both production and development tenants are:
- RPM for GET: 20 burst, 10 per minute
- RPM for POST: 10 burst, 5 per minute
The above limits are applied per transaction and per IP, not global. We ensure we have a limit per screen the user sees. By using the state handle, we ensure limits from one transaction will not interfere with a new one. This also protects transactions from users coming from the same intranet since there will be different limits for every user, which allows Auth0 to have low limits that provide more protection.
Solution
These limits are not customizable. This limit does not affect other users in the tenant, so a single user cannot cause an outage. It will only prevent that user from making multiple calls to the same endpoint.
To understand the root cause of the rate limits, you may enable the “Risk Assessment” option in the Bot Detection feature. This will help to generate the Pre-login risk assessment logs with the log type “pla”. An extensive number of these logs for an IP will lead to rate-limited requests.
