Auth0 Home Blog Docs

Machine to Machine Authentication Rate Limiting


We use auth0 to manage users for our Single Page App and we create machine to machine Applications for clients that want to directly use our API’s.

As machine to machine authentications are charged, I was wondering if there is a way to limit machine to machine authentications per applications ?

I didn’t find any pre-existing features. Could we do it via rules or hocks ?




The rate limits for our APIs are not configurable in tenant settings. You can find the Authentication rate limits here:

What you can do to minimize the number of Client Credential requests made for M2M Tokens is to cache the tokens that you receive until they expire and then request for new ones. There is no built-in way to achieve caching M2M tokens like this in Auth0 at the moment.

You can also take a look at a related question and answer here.

1 Like


I understand the global rate limits and I cache tokens in my applications.

The thing is, I provide M2M credentials to some of my clients (not API clients, actual real life clients), these clients use Auth0 to retrieve tokens that can be used against my APIs.

Today I don’t have a way to limit calls to the Auth0 Authorization API from these clients and no way to force them to cache their tokens.

Maybe what I am doing wrong is allowing my clients to directly get their tokens from Auth0 ?

The API my customers are using is set behind a broker, this broker handle independent rate limits for each customer.
Could I put the Auth0 Authentication endpoint behind a broker ?

1 Like

I would also like to know if it is possible to rate limit or put the token endpoint behind a broker, specifically Azure API Management. If anyone has done it with the AWS Gateway that would be useful to know as well.

The scenario is that I want to create credentials for each of my customers that want to use my API. Then they authenticate with Auth0 and use my API with the jwt token generated by Auth0. But if a customer doesn’t cache the token themselves, they will easily blow my quota of M2M tokens. I am looking to support 100s of customers eventually.

Thank you.


We also have this need. It’s easier for external clients to skip the (essential) caching part, so they often do it. This will cause us to issue way more tokens than necessary and will eat the quota of tokens that we pay for.

1 Like

I’m stumbling on to this as wall.
This pay per tokens model is pretty much unamangeable if your product has to have a secured API. Having to rely on clients doing caching is unrealistic.
Is there are way to workaround this? Any other worfklows perhaps that can achieve the same outcome? Is this a problem in Auth0 Enteprise as well?

We are in need of this feature as well. A poorly implemented client could easily deplete our quota.
It is bewildering to me why Auth0 doesn’t provide this basic functionality.

1 Like

In the same boat. A single client is causing us massive overages, accounting for 95% of our M2M token consumption. We ended up creating our own endpoint in AWS Lambda which calls Auth0 to obtain the token on their behalf, and re-mapping our endpoint in API Gateway to call this lambda instead of Auth0 directly. We are an Enterprise customer, so I’m discussing with our account manager. I’ll let you know if we come up with a better solution.