Problem statement
We use the new universal login experience. A user received the below error when making the '/authorize request. Can you help us understand the impact?
invalid_request: You've exceeded the rate limit for /u/login/identifier. Please try again in a short while.
Cause
There are two possibilities for the rate limit exceeded for the authentication API.
- Global limit exceeded.
- Limit per (tenant + session ID) exceeded.
‘/u/login/identifier’ and other prompts are affected by the authentication API global limit defined here: Authentication API Endpoint Rate Limits
We also have rate limits on the Universal Login Prompts to ensure stability and consistency across the platform . The values that apply to both production and development tenants are:
- RPM for GET: 20 burst, 10 per minute
- RPM for POST: 10 burst, 5 per minute
The above limits are per transaction , not global. We ensure we have a limit per screen the user sees and by using the state handle, we assure limits from one transaction won’t mess with a new one (also this will protect transactions from users coming from the same intranet since it will be different limits for every user), this allows us to have low limits that provide more protection.
Solution
These limits are not customizable. But also, this limit does not affect other users in your tenant, so you don’t need to worry about a single user causing an outage, it will only prevent that same user from making multiple calls to the same endpoint.