Getting rate limitted for /passwordless/start quickly

Problem statement

When calling the /passwordless/start endpoint from our backend using the client secret, a rate limit occurs with 50 reqs/minute per IP limit. Why might this be happening?

The attempt at passwordless login fails, with the following error:
Error code 429 - Too Many Requests


Attempt at passwordless login fails, with the following error: “Error code 429 - Too Many Requests”.


The application used for the /passwordless/start had the Authentication method set to None, even though the application type was correctly set as a regular web app.


The following two conditions should be met for the extended rate limits to apply.

  1. /passwordless/start should be called with the client secret.
  2. The application used for this call has to be configured as a regular web application, and the authentication method in the Credentials tab should be set to any option other than None . Setting None indicates that the app is public, and then the reduced rate limits apply.
    Screenshot 2023-09-14 at 18.08.38.png

Related References