ROPG Flow Contributes to the Database Login Limits


Auth0 has a database login limit seen here.

This limit is triggered if a user attempts login (successful or not) 20 times within a minute.

A customer was also seeing this limit applied when using the ROPG flow oauth/token endpoint seen here.

Applies To

  • oauth/token endpoint
  • ROPG flow
  • Limits


Users will see the database limit even when using the ROPG flow. This can cause confusion because users think that they are hitting their oauth/token rate limit when, in reality, they are hitting the Database login limit, which could potentially be triggered by various endpoints.


Make the user aware that the ROPG flow can contribute to the database login limits and they may not be hitting the endpoint rate limit at all. This is because they are actually providing database credentials when calling the oauth/token endpoint with the password grant type. Auth0 sees this as a login attempt.