How to protect against API Abuse?


Let’s say logged-in user hits refresh on my home-page which makes a GET request using the User Management API to return metadata on the user. Let’s say he has multiple PCs and accounts and just SPAMS the refresh button on all of them at once and triggers the global ratelimit of 16 requests per second. Does this mean the User Management API is on timeout for all of my users who are trying to use my service at that time? Limiting the functionality of my App? Or does just that one user time-out. I know that Auth0 has brute-force counter-measures at login but does it handle cases like this on an individual level to restrict these kinds of bad actors?

Now this is not something that is happening to me but I want to ensure this cannot happen.

Thanks in advance for the replies.

Hey @benjamin203 , you are right that it’s a global rate limit for the tenant, and not just that user.

A couple of possibilities:

  1. Since the user is logged in when visiting the page, you can add the metadata to the ID token (or the Access Token, if applicable) so a Management API request is not necessary.
  2. Cache the user profiles on your backend for, say, 1 minute - so frequent refreshes will not trigger duplicate Management API requests.
  3. Implement a rate limit on the User Profile page itself so a user cannot visit the page repeatedly even if they attempted to.

Thanks @thameera,

Is there a possibility that a user could send GET or PATCH requests to the User Management API using cURL and trigger the rate limit that way? If so, how could one protect against that scenario?

Usually a Management API request needs an Access Token that has read:users or update:users scope. It’s not possible for a user to obtain one so they should not be able to call the endpoints themselves.

However, if this is about the Management API Access Tokens that you obtain during a login for a SPA [1] with *:current_user_* scopes, they do not affect the global rate limit. These requests will have a 10 req/min/ip limit as described in our docs [2]. I didn’t consider this scenario in my previous reply, so if your question was actually about these requests, they do not affect the global limits.

[1] Get Management API Access Tokens for Single-Page Applications
[2] Management API Endpoint Rate Limits

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.