I’ve read the documentation, but it mostly refers to the API usage, and as far as I can tell, it does not elaborate on how the hosted UI handles the limits.
We have looked at what requests are being made to the API during the login flow, and this is what we gathered happens:
- /authorize and /login is called during the redirection to the hosted UI
- the hosted UI calls /usernamepassword/login when the user enters credentials and uses the login button
- there is a /login/callback call
- the token is retrieved via a call to /oauth/token
If we take 100 people who try to log in at the same second through the hosted UI, this would make 50 of them reach the login page (there are two requests in the 1st point). Let’s assume they type in their credentials and login in 1 second. Let’s also assume that the clients and servers are so fast that the next 3 endpoint gets called immediately, thus in the next second 100/3 = 33 of them get a token.
So, in this case, we would be able to let in around 33 people every two seconds, right?
Or would only the call to /authorize count towards the limit?