Hello, Let’s say logged-in user hits refresh on my home-page which makes a GET request using the User Management API to return metadata on the user. Let’s say he has multiple PCs and accounts and just SPAMS the refresh button on all of them at once and triggers the global ratelimit of 16 requests p…

Hey @benjamin203 , you are right that it’s a global rate limit for the tenant, and not just that user. A couple of possibilities: Since the user is logged in when visiting the page, you can add the metadata to the ID token (or the Access Token, if applicable) so a Management API request is not ne…

How to protect against API Abuse?

Get Help

benjamin203 October 10, 2022, 10:48am 4

Thanks @thameera,

Is there a possibility that a user could send GET or PATCH requests to the User Management API using cURL and trigger the rate limit that way? If so, how could one protect against that scenario?

Topic		Replies	Views
Management API rate limit Get Help	12	6940	December 11, 2019
Upcoming Rate Limit Enforcement on Management API v2 Help finding the API calls Get Help auth0	7	2589	November 12, 2020
What are the rate-limits for Auth0 Management API V2 Get Help management-api , rate-limit	5	13300	November 14, 2019
Management API Rate Limit: "The current_user* Scope Limit has Been Reached" Knowledge Articles	1	34	February 28, 2025
How to increase rate limit of Management API? Get Help management-api , rate-limit , user-management , api-rate	2	7394	March 2, 2018

How to protect against API Abuse?

Related topics