We’re integrating Auth0 and currently every private API request triggers a call to /oauth/token to check/validate the user token. On pages that fan out multiple private API calls in parallel, this results in many concurrent requests to /oauth/token, and we’re running into rate-limit errors (especially on staging, where we’re on a free plan).
Could you please advise on best practices to avoid this?
Welcome to the Auth0 Community!
You are hitting this burst limit error because of repeatedly calling the /oath/token endpoint whenever an access token is needed for the API request. The most well rounded solution would be caching the access token and checking it’s validity before calling the /oath/token endpoint, which retrieves a new access token each time, since our documentation on Access Token specifies that:
By default, an access token for a custom API is valid for 86400 seconds (24 hours)
So you could also just check if the access token has expired before requesting a new one.
Our Token Best Practices documentation also mentions this:
Store and reuse: Reduce unnecessary roundtrips that extend your application’s attack surface, and optimize plan token limits (where applicable) by storing access tokens obtained from the authorization server. Rather than requesting a new token, use the stored token during future calls until it expires. How you store tokens will depend on the characteristics of your application
For a better understanding of the rate limit policy I would recommend checking out this article - How to tell if you are approaching the Rate-Limit, which also includes links to different useful documentation segments on the matter that I would recommend going over and a FAQ section as well that should be very useful.
I hope this helps and if you have other questions please let me know!
Best regards,
Remus