How to tell if you are approaching the Rate-Limit

Problem statement

How do I determine the number of remaining requests for my tenant before reaching the rate-limit.

Symptoms

• 429 HTTP Error (Too Many Requests)

Steps to reproduce

• Exceed the sustained RPS for the corresponding endpoints
• To calculate the sustained RPS see Rate Limits Exposition

Troubleshooting

• Monitor your requests either by keeping track (running count) of the number of requests you have made
• Monitor your requests using the Auth0 Dashboard
  • Using Lucene Search Syntax filter for api_limit

Cause

• High loads during certain events like Black Friday, Christmas, etc
• I mplementation that does not use any caching, or repeated calls in short successions
• Bulk requests such as bulk delete, bulk unblock, etc

Solution

The solution to determining if you are approaching the Rate-Limit is to monitor the headers for each request call.

The headers:

• x-ratelimit-limit: The maximum number of requests available in the current time frame.
• x-ratelimit-remaining: The number of remaining requests in the current time frame.
• x-ratelimit-reset: A UNIX timestamp of the expected time when the rate limit will reset.

Using these headers will provide you information about whether you are getting close to the Rate Limit.

Please see Rate Limit Policy for more information on the HTTP response headers.

FAQ

Q: Are Rate Limits different or the same for Development tenants v.s Production tenants?

A: Rate limits are different for Developer tenants v.s Production tenants. Please see below for the difference in Rate Limits for the Management API and Authentication API.

• Management API Endpoint Rate Limits

• Authentication API Endpoint Rate Limits

Q: What if I want to increase my rate limit?

A: Unfortunately, we cannot increase the rate limits unless it is for a temporary event like the Superbowl, Black Friday, etc. If this applies to you, please reach our Auth0 Support team so we can assess its viability, formally request it, and it would fall under our Burst API offering, which is a temporary paid service.

Q: Is there an example of how to calculate sustained requests per second for an endpoint?

A: Let’s use the Management API Create a User endpoint for an example. The rate limit for the create users endpoint in an Enterprise subscription Production tenant is 50 requests per second with bursts up to 1000 requests per minute.

Considering the Enterprise subscription Production tenant rate limit, the

Sustained Requests per Second: 16 (1000/60)

Maximum Requests per Second: 50

Bursts per Minute (Peak): 1000

The Sustained Requests per Second is the most important one to consider over time. If your application never exceeds this, the traffic will never be limited. The limit can be exceeded, but the degree of excess determines how quickly the burst limit is reached.

For example, an application could make 50 requests per second but would consume the burst limit in about 30 seconds and be limited to approximately 16 requests per second. On the other hand, if traffic is spaced out at precisely 16 requests per second, the rate limit would never be reached.

Reference Materials:

• Rate Limits Exposition

• Management API Endpoint Rate Limits

• Authentication API Endpoint Rate Limits

• Rate Limit Policy