We wanted to announce an improvement to Auth0’s security and performance with new refresh token rate limits. We are limiting the amount of refresh tokens to 200 active tokens per user per application. Our service will periodically scan for client applications that keep an excess of active user refresh tokens and remove the excess on an older-first basis. This rate limit is now in effect, though customers currently exceeding the limit will be given a grace period to adjust and will receive the new policy starting October 17th, 2022.
Limiting the amount of refresh tokens helps prevent accidental creation and accumulation of unnecessary or forgotten tokens while also preventing performance side-effects and signaling anomalous authentication flows via Refresh token excess warning in tenant logs.