I am on the free tier and ran through some tests with the incorrect password (as a result no tokens were cached)
As a result, I have hit the rate limit on /oauth/token.
1st question is: is there a way to check the remaining quota on the endpoint instead of calling it? My sense is that because I keep on hitting the same endpoint to find out, the Rate Limit doesn’t recover.
2nd Question: I may be a bit impatient, but 4 hours later, I’m still getting HTTP 429s. How long should I wait for the recovery ?
Welcome to the Auth0 Community!
It sounds like you might be running into the User/Password Authentication Rate Limits.
The only way I can find per-endpoint rate limit info is directly in the request.
It sounds like something else is consistently calling this endpoint and hitting the limit.
Do you see any information in your logs? Hitting the token endpoint rate limit usually indicates a loop or something that is causing an unexpectedly large number of requests. I think the free tier is 30 requests/sec or 300/minute.
Thanks for getting back to me.
The issue wasn’t really a quota one per se, but rather a Brute Force one, which was easily resolved.
To me, these are 2 separate events that should be dealt with differently:
- for a rate limitation issue, I would throttle the IP, to avoid hitting the Auth0 API too hard.
- for a brute force Issue, I would intercept the error and notify the user to contact our helpdesk team to resolve the issue.
Therefore, it may be better to have different error messages (HTTP code is fine though)
Thanks Anyway !
This should happen by default. We usually send a notification email to the user and you can customize it to say whatever you prefer.
Here’s the reference:
As for the error messages, they may be opaque because the requests are coming from an expected attacker.