Auth0 Home Blog Docs

Machine to Machine Authentication Rate Limiting

Hi,

We use auth0 to manage users for our Single Page App and we create machine to machine Applications for clients that want to directly use our API’s.

As machine to machine authentications are charged, I was wondering if there is a way to limit machine to machine authentications per applications ?

I didn’t find any pre-existing features. Could we do it via rules or hocks ?

Thanks

1 Like

Hi,

The rate limits for our APIs are not configurable in tenant settings. You can find the Authentication rate limits here: https://auth0.com/docs/policies/rate-limits#authentication-api

What you can do to minimize the number of Client Credential requests made for M2M Tokens is to cache the tokens that you receive until they expire and then request for new ones. There is no built-in way to achieve caching M2M tokens like this in Auth0 at the moment.

You can also take a look at a related question and answer here.

1 Like

Hi,

I understand the global rate limits and I cache tokens in my applications.

The thing is, I provide M2M credentials to some of my clients (not API clients, actual real life clients), these clients use Auth0 to retrieve tokens that can be used against my APIs.

Today I don’t have a way to limit calls to the Auth0 Authorization API from these clients and no way to force them to cache their tokens.

Maybe what I am doing wrong is allowing my clients to directly get their tokens from Auth0 ?

[edit]
The API my customers are using is set behind a broker, this broker handle independent rate limits for each customer.
Could I put the Auth0 Authentication endpoint behind a broker ?

I would also like to know if it is possible to rate limit or put the token endpoint behind a broker, specifically Azure API Management. If anyone has done it with the AWS Gateway that would be useful to know as well.

The scenario is that I want to create credentials for each of my customers that want to use my API. Then they authenticate with Auth0 and use my API with the jwt token generated by Auth0. But if a customer doesn’t cache the token themselves, they will easily blow my quota of M2M tokens. I am looking to support 100s of customers eventually.

Thank you.

2 Likes

We also have this need. It’s easier for external clients to skip the (essential) caching part, so they often do it. This will cause us to issue way more tokens than necessary and will eat the quota of tokens that we pay for.