Further clarification on the rate limit of Authentication APIs

Hi Everyone,
I’m reading a document related to rate limit but some statements are not clear for me. According to the document, the rate limit for sum of all combined requests to any Authentication API endpoint is 100 requests per second on tenant production. My question is if the limit is for per user or for any requests to be accumulated? In my case, a main app needs give tokens to other apps that are placed within trusty zone and the main app makes use of refresh token to generate access token. If the rate limit is for any requests accumulated, it’d be a problem in my deign. If the design fall into this rate limit, someone could advice me to overcome it? Thank you.

1 Like

I believe it is accumulated. In addition to that some endpoints have even smaller rate limits for eg. /userinfo has rate limit of 5 req/min (10 in case of a burst) so it is possible to hit a endpoint rate limit before hitting the accumulated 100 req/sec rate limit.

Anyways rate limits are subject to change so you should always make sure your implementation is handling the situation when a rate limit is reached. the same page has this section that talks about how you should implement your endpoint calling in case you exceed the limit https://auth0.com/docs/policies/rate-limits#exceeding-the-rate-limit

Hope that helps.

1 Like

Hi ashish,
I appreciate your quick reply. As you mentioned, it is accumulated. If there are over 100 users logging in at the same time, the rate limit will be hit. Am I right? If my awareness is correct, I’d like to know if it is possible that the requests for limit can go up through business deal. Thanks again for your help and consideration.

1 Like

In theory yes but please note that it is 100 request per sec so essentially 6000 users within a min and 360,000 users within the hr concurrently It is unlikely you will run into authentication api rate limits from your organic user login traffic.

Generally it is not possible to raise rate limits. API rate limits are there to protect you and other customers from DoS attacks which can tank server with unlimited api requests. I will encourage you to reach out to Auth0 Sales team though to discuss your specific use case. You can do so by clicking Discuss your needs button from the auth0 Management dashboard.

1 Like

Thank you for your great help. I learn a lot. Thanks.


Glad we were able to help @hyj110!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.