Please provide a built-in solution to rate-limit and cache M2M authentication tokens

juho-hanhimaki · January 8, 2021, 6:07am

We would like to protect our APIs with Auth0. However we do not control the client programs the customers write. As I understand there is no built in way to rate-limit individual clients or cache their tokens for the token lifetime.

It is left up to the client programmer to implement caching and handling of expiration correctly. As we know developers are lazy and sometimes just produce flawed code. We know many clients request tokens way more often than necessary (worst case a fresh token for each API request). That will basically cause a potentially very costly denial of service attack to our authentication service because Auth0 provides no way to limit or cache the token requests.

IMHO this is huge design flaw in the Auth0 product and pricing scheme.

I’ve seen there exists some custom hook script that can use redis database to do some caching / rate limiting. We’re not willing to maintain our own highly available infrastructure to get such basic feature.

Please provide timeline for making M2M authentication actually usable feature of the product by implementing rate limiting and token caching as built-in functionality.

If that is not feasible pricing model should be reworked to not be based on number of token requests.

konrad.sopala · January 8, 2021, 8:10am

Hey there Juho!

Thank you a lot for sharing your feedback here regarding that. To bring it to the attention of our managers’ crew can you share it through our product feedback form? It is located here:

Once you do that within 10 business days you will be contacted by one of our product managers to shed some light on it. Thank you1

juho-hanhimaki · January 8, 2021, 8:35am

Hi Konrad!

I will do that.

Thanks.

konrad.sopala · January 8, 2021, 12:46pm

Perfect! Thanks a lot!

gleb · April 19, 2021, 6:39am

Fully agree with this topic request, wonder if there is any decision on supporting it?

konrad.sopala · April 19, 2021, 10:28am

If you can also share full context, usecase and justification creating a topic in our feedback category then that will be perfect:

zachgrowflow · November 29, 2021, 4:03pm

I’m operating a production service authenticated with M2M Auth0 tokens and we’re constantly dealing with issues of rate limits / quotas on M2M tokens that originate with our clients (whose code we did not write/do not directly control). It’s a huge waste of time/effort on our part to police our third party integrators and their usage of m2m tokens. Built in caching would be tremendously helpful

andrewguenther · January 20, 2022, 6:01pm

Submitted feedback on this as well. We have made the decision not to use Auth0 M2M for customer API authentication due to these concerns and limitations.

konrad.sopala · February 3, 2022, 1:55pm

Really appreciate all your feedback!

hugoforte · August 24, 2022, 3:50pm

I’m having the same issue - is there a link to a ticket that’s being worked on for this?

mayank.arora · August 17, 2023, 9:06am

We are using M2M for internal communication and have following queries ?

Can we check how much of the monthly quota for an api is left as we will connect multiple applications to one api.
How much each application has consumed.
Documentation showing what’s the current limit of quota.