Problem statement

When calling the /passwordless/start endpoint from our backend using the client secret, a rate limit occurs with 50 reqs/minute per IP limit. Why might this be happening?

The attempt at passwordless login fails, with the following error:
Error code 429 - Too Many Requests

Symptoms

Attempt at passwordless login fails, with the following error: “Error code 429 - Too Many Requests”.

Cause

The application used for the /passwordless/start had the Authentication method set to None, even though the application type was correctly set as a regular web app.

Solution

The following two conditions should be met for the extended rate limits to apply.

1. /passwordless/start should be called with the client secret.
2. The application used for this call has to be configured as a regular web application, and the authentication method in the Credentials tab should be set to any option other than None . Setting None indicates that the app is public, and then the reduced rate limits apply.
   

Related References

• Set the auth0-forwarded-for header for rate-limit purposes
• Using Passwordless APIs
• Application Settings - Client Secret
• Application Settings - Application Type
• Rate Limit Policy