How to Differentiate Rate Limit Errors (Global vs. Others)

Problem statement

This article describes how to differentiate scenarios in which the user or the application has been rate-limited or blocked by too many failures.

Symptoms

The user is blocked or restrained from logging in.

Cause

An error such as Too Many Failures can be received with the type gd_otp_rate_limit_exceed in the Tenant logs when the user fails to input the OTP. It could also be the Brute-Force Protection if the threshold is 10. The error for these outcomes is 429 error. All the rate limit errors also throw 429.

NOTE: The 3 maximum login attempts could be related to the magic link that a user receives in their emails. If the link is expired and they try to use it 3 times, it will be forbidden (403) for them to log in.

Solution

Based on the response, error descriptions and messages can be filtered to understand which type of limit the user is incurring.

Here are a few common error messages for the rate limit errors:

  • Tenant-level global rate limit error:
    • All requests from different IPs will be rate-limited.
    • Tenant Log: Global rate limit exceeded
  • Tenant-level rate limit for a specific IP:
    • All requests from this IP will be rate-limited.
    • Tenant Log: You passed the limit of allowed calls to [PATH] from ip: [IP]
  • User/device level rate limit:
    • A specific user or device is rate-limited on a specific IP.
    • Tenant Log: You have exceeded the rate limit on [PATH]
    • Tenant Log: You passed the limit of allowed calls to [PATH]