We’re integrating Auth0 and currently every private API request triggers a call to /oauth/token to check/validate the user token. On pages that fan out multiple private API calls in parallel, this results in many concurrent requests to /oauth/token, and we’re running into rate-limit errors (especially on staging, where we’re on a free plan).
Could you please advise on best practices to avoid this?
Welcome to the Auth0 Community!
You are hitting this burst limit error because of repeatedly calling the /oath/token endpoint whenever an access token is needed for the API request. The most well rounded solution would be caching the access token and checking it’s validity before calling the /oath/token endpoint, which retrieves a new access token each time, since our documentation on Access Token specifies that:
By default, an access token for a custom API is valid for 86400 seconds (24 hours)
So you could also just check if the access token has expired before requesting a new one.
Our Token Best Practices documentation also mentions this:
Store and reuse: Reduce unnecessary roundtrips that extend your application’s attack surface, and optimize plan token limits (where applicable) by storing access tokens obtained from the authorization server. Rather than requesting a new token, use the stored token during future calls until it expires. How you store tokens will depend on the characteristics of your application
For a better understanding of the rate limit policy I would recommend checking out this article - How to tell if you are approaching the Rate-Limit, which also includes links to different useful documentation segments on the matter that I would recommend going over and a FAQ section as well that should be very useful.
I hope this helps and if you have other questions please let me know!
Best regards,
Remus
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.