Hey @benjamin203 , you are right that it’s a global rate limit for the tenant, and not just that user.
A couple of possibilities:
- Since the user is logged in when visiting the page, you can add the metadata to the ID token (or the Access Token, if applicable) so a Management API request is not necessary.
- Cache the user profiles on your backend for, say, 1 minute - so frequent refreshes will not trigger duplicate Management API requests.
- Implement a rate limit on the User Profile page itself so a user cannot visit the page repeatedly even if they attempted to.