Last Updated: Aug 12, 2024
Overview
The /userinfo endpoint returns 429 Error codes for exceeding rate limits.
The following api_limit tenant logs can be a signal of this issue:
...
...
"type": "api_limit",
"description": "You passed the limit of allowed calls to `/userinfo` with the same user.",
...
...
Applies To
- Rate limits
- /userinfo endpoint
- 429 Error code
Cause
Not complying with our Rate Limits Policy.
Solution
Please review Auth0’s Rate Limits Policy. We highly recommend handling Rate Limits via the Application’s code by using the information from our HTTP Headers.
All Auth0 services have built-in rate limiting and automated blocking features to mitigate advanced denial-of-service (DDoS) or Authentication Attacks. The Auth0 network infrastructure is protected against volumetric attacks by their cloud providers, in addition to a dedicated DDoS mitigation service. Furthermore, to protect the platform, Auth0 imposes rate limits on APIs and database calls.
More information about specific rate limits here:
To avoid 429 errors coming from the /userinfo endpoint, consider requesting an ID Token to get information about the user. By caching this ID Token, it is possible to reduce the calls to /userinfo.
Alternatively, it is possible to cache the data returned from the /userinfo request so fewer API calls are performed. However, the ID Token is our suggested approach.
Read more information about how to retrieve an ID Token here.