We are trying to verify API-level permission of each user through Auth0 Management API for security reasons. But we just realized there is rate limit for Management API per tenant: " For paid tenants, usage of the Management API is restricted to 15 requests per second (and bursts up to 50 requests)", from Rate Limit Policy.
Is the rate limit adjustable for enterprise? Or any other suggestions?
I you need more then 15 request second, add temporisation in you code
Or like mentioned in the doc, use your own database Identity.
The rate limit concern Management API. If you need more than 15 request sec, in this case you need to analyse your code logic / architecture if you not need to do some more complexe approach to store on your project side such informations.
Even for our enterprise clients, it is unlikely that you would be granted a rate limit increase. Typically we would work with you on finding a solution that does not require a rate limit increase (not that it hasn’t happened on a very rare occasion).
Is there a security issue with using the permissions in the token? This usually dictates how the api should handle the user. If your permissions are quickly changing, then you would want to set a shorter life to the token, rather than polling the management API.
@dan.woda We are multiple APIs and some APIs wants to use scopes for more granular access control. This could ends up with a fair amount of (>100) scopes/permissions for a single user. Top concern is security, for which we try to avoid reveal all these permissions to our end users; size of the token is another concern. Instead, we prefer an backend API service to query Auth0 Management API to get user permissions for this API when a request comes in.
@dan.woda My understanding is that role is only used to manage scopes. If we only pass the role information to backend, the backend still needs to query Management API to get all the permissions. In this case, the same rate limit will apply, is that right?
The other option would be to encrypt and store the values in a custom claim. They likely shouldn’t be using scopes anyway, as that is how a user gives permission to an app, not an app gives permission to a user.
I see, scope represents what permissions that a user delegates to an application. That means scope is usually a subset of a user’s entire permissions. Thanks!