Skip to main content

Authentication API

Review the following table for Global Authentication API Rate Limits, or the rate limit policy protecting nearly all Authentication API endpoints. Rate limits for the Authentication API and API endpoints in the Enterprise subscription type:
TenantBurst Request LimitSustained Request Limit
Production100/second100/second
Production (2x Public Performance Burst)200/second for 48/hrs per month100/second
Production (3x Public Performance Burst)300/second for 48/hrs per month100/second
Production (4x Public Performance Burst)400/second for 48/hrs per month100/second
Non-production100/second100/second
These limits are constrained to 48 hours per month. After 48 hours, these limits revert to product limits. For more information, read Public Performance Burst.
EndpointMethodBurst Request LimitSustained Request LimitLimit Type
User InfoGET, POST105/minuteTo a unique User ID
Change PasswordPOST101/minuteFrom an IP Address to a unique Email Address
Reset Password with Universal LoginPOST101/minuteFrom an IP Address to a unique Email Address
Get Passwordless Code or LinkGET, POST5050/hourFrom an IP Address
Native Social Login (Apple / Facebook Only)POST50500/minuteAny Request for Apple or Facebook Native Social Login
Dynamic Application (Client) RegistrationPOST55/secondAny request
Universal LogoutPOST3535/secondAny request
Pushed Authorization Requests (PAR)POST100100/secondFrom an IP Address
Back-Channel authorize (CIBA)POST500500/minuteFrom an IP Address
Device code activation (no prompt)POST306/secondFrom an IP Address
Device code authorizationPOST55/secondFrom an IP Address
MFA OOB token exchangePOST1212/minuteTo a unique session
Custom Token ExchangePOST1515/secondAny request
Represents the default limit. You can configure the Signup endpoint limit in Auth0 Dashboard. To learn more, read Suspicious IP Throttling.

Management API

Review the following table for Global Management API Rate Limits. Most Management API endpoints, except those listed under “endpoints”, are protected by these rate limit policies. Rate limits for the Management API, API endpoints, and API endpoint groups in the Enterprise subscription type:
Tenant EnvironmentBurst Request LimitSustained Request Limit
Production5016/second
Non-production102/second
EndpointMethodBurst Request LimitSustained Request LimitLimit Type
Read Organizations by NameGET20200/minuteAny request
Write OrganizationsPOST, PATCH, DELETE5150/minuteAny request
Read Organization MembersGET40500/minuteAny request
Write Organization MembersPOST, DELETE20200/minuteAny request
Read Organization invitationGET20200/minuteAny request
Write Organization invitationPOST20200/minuteAny request
Read Organization Member RolesGET20200/minuteAny request
Write Organization Member RolesPOST, DELETE20200/minuteAny request
Read Organization ConnectionsGET10100/minuteAny request
Write Organization ConnectionsPOST, PATCH, DELETE5150/minuteAny request
Write Custom DomainsPOST55/minuteAny request
Read Status ConnectionGET10015/secondAny request
Write Signing KeysPOST55/dayAny request
Read Partials for a PromptGET55/minuteAny request
Write Partials for a PromptPUT55/minuteAny request
Read Clients
Only applies to the usage of the q parameter.		GET5150/minuteAny request
Read Organization Client GrantsGET10100/minuteAny request
Write Organization Client GrantsPOST5150/minuteAny request
Write email templatesPOST, PATCH, DELETE10100/minuteAny request
Read email templatesGET15150/minuteAny request
Write email providerPOST, PATCH, DELETE10100/minuteAny request
Read email providerGET15150/minuteAny request
Write Token Exchange ProfilesPOST, PATCH, DELETE5100/minuteAny request
Read Token Exchange ProfilesGET20200/minuteAny request

SCIM API

Rate limits for the inbound SCIM API endpoints in public cloud subscriptions that include Enterprise connections:
Limit TypeEndpoint PathOperationLimit
Single SCIM connection endpoint/scim/v2/connections/{connection-id}Any request25 requests per second
Global tenant limit for all SCIM connections/scim/v2/connections/*Any request100 requests per second

Universal Login Flow Endpoints

Rate limits for the endpoints utilized for the Universal Login Authentication Flow for all subscription types:
EndpointMethodBurst Request LimitSustained Request LimitLimit Type
Universal login prompts (global)GET, POST500500/minuteFrom an IP Address
Universal login prompts (per prompt)GET2010/minuteFrom an IP Address and state value.
Universal login prompts (per prompt)POST105/minuteFrom an IP Address
Password reset promptGET500500/minuteFrom an IP Address
MFA push enrollment promptGET, POST500500/minuteFrom an IP Address
MFA push challenge promptGET, POST500500/minuteFrom an IP Address
MFA SMS enrollment promptGET2010/minuteFrom an IP Address
MFA SMS enrollment promptPOST105/minuteFrom an IP Address
MFA SMS enrollment verify promptGET2010/minuteFrom an IP Address
MFA SMS enrollment verify promptPOST105/minuteFrom an IP Address
Passwordless SMS challenge promptGET, POST55/minuteFrom an IP Address
Passwordless email challenge promptGET, POST55/minuteFrom an IP Address
Phone verification enrollment promptGET, POST55/minuteFrom an IP Address
Phone verification challenge promptGET, POST55/minuteFrom an IP Address
Device code promptGET, POST55/secondFrom an IP Address

Additional MFA rate limits

EndpointBurst Request LimitSustained Request LimitLimit TypeLimit
OTP (6 numeric digits) failures1010per hourTo a unique User ID
Recovery code failures1010per hourTo a unique User ID
Webauthn challenge failures1515per minuteTo a unique User ID
Webauthn challenge generated1515per minuteTo a unique User ID
Push notifications sent per user55per minuteTo a unique User ID
SMS sent per user101per hourTo a unique User ID
Email sent per user201per minuteTo a unique User ID