Limits on the hosted login UI

Hey :slight_smile:

I was wondering about what kind of request limits apply to the hosted login UI, are those the same as the API limits for the account? Does the requests made by the hosted UI count towards the API limits of the account or are they separate?

I was unable to find information on this in the docs.

Also, is there a login queue to handle bursts on the hosted login?

Hi @janos.kubisch,

Welcome to the Community!

Here is the rate limit doc:

Assuming you are referring to the /authorize endpoint, it looks like it is under the global limit, which is 100 requests/second for paid production tenants, and 300/minute for free tenants.

Here is how errors are handled:

Thanks for the answer Dan!
So if I understand this correctly, the api rate limits documented here apply to us when we are using the login page hosted by Auth0 as well - and there is no login queue implemented into that page to handle burst load?

This is what I’m talking about:
Screenshot from 2021-03-12 09-45-00

That would be an /authorize endpoint call I mentioned in my first response. There isn’t a documented queue that I am aware of. Did you look at the error doc I linked? It directly explains what happens when a rate limit is reached.

I’ve read the documentation, but it mostly refers to the API usage, and as far as I can tell, it does not elaborate on how the hosted UI handles the limits.

We have looked at what requests are being made to the API during the login flow, and this is what we gathered happens:

  1. /authorize and /login is called during the redirection to the hosted UI
  2. the hosted UI calls /usernamepassword/login when the user enters credentials and uses the login button
  3. there is a /login/callback call
  4. the token is retrieved via a call to /oauth/token

If we take 100 people who try to log in at the same second through the hosted UI, this would make 50 of them reach the login page (there are two requests in the 1st point). Let’s assume they type in their credentials and login in 1 second. Let’s also assume that the clients and servers are so fast that the next 3 endpoint gets called immediately, thus in the next second 100/3 = 33 of them get a token.

So, in this case, we would be able to let in around 33 people every two seconds, right?
Or would only the call to /authorize count towards the limit?


That is a valid question. Let me reach out to the team and confirm whether or not each additional request in the /authorize pipeline counts towards the rate limit.

1 Like

I can confirm each request would be counted.

The response I got internally was that it is extremely unlikely that you would have a scenario like the one you described unless you were performing a load test or some synthetic behavior.

1 Like

I see, thanks for the help! :slight_smile:

1 Like

Let us know if you run into any other questions.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.