Auth0 Home Blog Docs

What's the scope of the /userinfo rate limit?

rate-limit

#1

Calling the /userinfo endpoint returns X-RateLimit headers. I get back an allowed rate of 10 per minute. Are these limits per tenant, per client or per access token passed to /userinfo? I looked at the Rate Limit documentation and it was clear that Management API limits are applier tenant, but I could not find information for the granularity at which /userinfo limits are applied.


#2

I submitted a request to include more information about the scope of the limit applied to the /userinfo endpoint in the associated documentation. Some preliminary tests suggest that the limit is applied per user, but hopefully this will soon be documented in order to remove any ambiguity.


Update: The authentication API rate limits documentation now includes a scope column in the limits table to provide additional information about the scope in which the limit is applied; the actual limit numbers should be obtained from the HTTP responses.


#3

@jmangelo thanks for following up. The /userinfo rate limit is especially important since it seems to be only way to verify the access token from the Implicit Grant return (webAuth + social). I intend to cache the access token at the server and not hit Auth0 every time the client accesses the server, however it would be nice to know what the /userinfo limits are so that I can tune the cache times.


#4

Did we finally get an answer to this question?


#5

@jmangelo thanks for following up. The /userinfo rate limit is especially important since it seems to be only way to verify the access token from the Implicit Grant return (webAuth + social). I intend to cache the access token at the server and not hit Auth0 every time the client accesses the server, however it would be nice to know what the /userinfo limits are so that I can tune the cache times.


#6

Did we finally get an answer to this question?


#7

The docs still have the same information so that would be a no, I’m tracking down what happened to my previous request for an update. Thanks for bringing this to my attention.


#8

@jaiwant.mulik @louis-philippe.meunier The documentation for the authentication API limits has now been updated to contain a scope column with additional information. I’ll update my answer accordingly for greater visibility.


#9