Hi - we’re running a membership site using Passwordless Email (OTP codes), and we’re consistently hitting the /u/login/passwordless-email-challenge and /passwordless/start rate limits during traffic spikes (especially when many members request login codes at once before events).
We’re on the Free tier, and understand the published guidance indicates a limit of ~50 requests/hour per IP. However, with legitimate users behind shared networks (mobile carriers, office networks, etc.), the limit is reached quickly and results in:
invalid_request: The rate limit for endpoint /u/login/passwordless-email-challenge was reached. Please retry after a few minutes.
We already have:
-
Email TTL increased to 15 minutes
-
Cooldowns and messaging to prevent repeated requests
-
Disabled database signups
-
Bot Detection enabled
-
DKIM/SPF/DMARC fully aligned
We’d like to know:
Is it possible to increase the rate limit for this endpoint on the Free tier, or is upgrading to a paid plan the only path?
If upgrading is required, which plan(s) allow higher passwordless OTP rate limits or relaxed throttling?
Any clarification or recommendations would be greatly appreciated — especially if there are best practices for scaling passwordless email flows during high-traffic windows.
Thank you!