Enterprise
See below for the rate limits in the Enterprise subscription type.
Rate limits for the Authentication API and API endpoints in the Enterprise subscription type.
Tenant | Burst Request Limit | Sustained Request Limit |
---|---|---|
Production | 100/second | 100/second |
Production (2x Public Performance Burst) | 200/second for 48/hrs per month | 100/second |
Production (3x Public Performance Burst) | 300/second for 48/hrs per month | 100/second |
Production (4x Public Performance Burst) | 400/second for 48/hrs per month | 100/second |
Non-production | 100/second | 100/second |
*These limits are constrained to 48 hours per month. After 48 hours, these limits revert to product limits. For more information, see Public Performance Burst.
Endpoint | Method | Burst Request Limit | Sustained Request Limit | Limit Type |
---|---|---|---|---|
User Info | GET , POST |
10 | 5/minute | To a unique User ID |
Change Password Reset Password with Universal Login |
POST |
10 | 1/minute | From an IP Address to a unique Email Address |
Get Passwordless Code or Link | GET , POST |
50 | 50/hour | From an IP Address |
Native Social Login (Apple / Facebook Only) | POST |
50 | 500/minute | Any Request for Apple or Facebook Native Social Login |
Dynamic Application (Client) Registration | POST |
5 | 5/second | Any request |
Universal Logout | POST |
35 | 35/second | Any request |
Pushed Authorization Requests (PAR) | POST |
100 | 100/second | From an IP Address |
Back-Channel authorize (CIBA) | POST |
500 | 500/minute | From an IP Address |
Device code activation (no prompt) | POST |
30 | 6/second | From an IP Address |
Device code authorization | POST |
5 | 5/second | From an IP Address |
MFA OOB token exchange | POST |
12 | 12/minute | To a unique session |
*Represents the default limit. You can configure the Signup endpoint limit in Auth0 Dashboard. To learn more, read Suspicious IP Throttling.
Rate limits for the Management API, API endpoints, and API endpoint groups in the Enterprise subscription type.
Tenant Environment | Burst Request Limit | Sustained Request Limit |
---|---|---|
Production | 50 | 16/second |
Non-production | 10 | 2/second |
Endpoint | Method | Burst Request Limit | Sustained Request Limit | Limit Type |
---|---|---|---|---|
Read Organizations by Name | GET |
20 | 200/minute | Any request |
Write Organizations | POST , PATCH , DELETE |
5 | 150/minute | Any request |
Read Organization Members | GET |
40 | 500/minute | Any request |
Write Organization Members | POST , DELETE |
20 | 200/minute | Any request |
Read Organization invitation | GET |
20 | 200/minute | Any request |
Read Organization Member Roles | GET |
20 | 200/minute | Any request |
Write Organization Member Roles | POST , DELETE |
20 | 200/minute | Any request |
Read Organization Connections | GET |
10 | 100/minute | Any request |
Write Organization Connections | POST , PATCH , DELETE |
5 | 150/minute | Any request |
Write Custom Domains | POST |
5 | 5/minute | Any request |
Read Status Connection | GET |
100 | 15/second | Any request |
Write Signing Keys | POST |
5 | 5/day | Any request |
Read Partials for a Prompt | GET |
5 | 5/minute | Any request |
Write Partials for a Prompt | PUT |
5 | 5/minute | Any request |
Read Clients
|
GET |
5 | 150/minute | Any request |
Read Organization Client Grants | GET |
10 | 100/minute | Any request |
Write Organization Client Grants | POST |
5 | 150/minute | Any request |
Write email templates | POST , PATCH , DELETE |
10 | 100/minute | Any request |
Read email templates | GET |
15 | 150/minute | Any request |
Write email provider | POST , PATCH , DELETE |
10 | 100/minute | Any request |
Read email provider | GET |
15 | 150/minute | Any request |
Rate limits for the inbound SCIM API endpoints in Public cloud subscriptions that include Enterprise connections.
Limit Type | Endpoint Path | Operation | Limit |
---|---|---|---|
Single SCIM connection endpoint | /scim/v2/connections/{connection-id} |
Any request | 25 requests per second |
Global tenant limit for all SCIM connections | /scim/v2/connections/* |
Any request | 100 requests per second |
Rate limits for the endpoints utilized for the Universal Login Authentication Flow for all subscription types.
Endpoint | Method | Burst Request Limit | Sustained Request Limit | Limit Type |
---|---|---|---|---|
Universal login prompts (global) | GET , POST |
500 | 500/minute | From an IP Address |
Universal login prompts (per prompt) | GET |
20 | 10/minute | From an IP Address |
Universal login prompts (per prompt) | POST |
10 | 5/minute | From an IP Address |
Password reset prompt | GET |
500 | 500/minute | From an IP Address |
MFA push enrollment prompt | GET , POST |
500 | 500/minute | From an IP Address |
MFA push challenge prompt | GET , POST |
500 | 500/minute | From an IP Address |
MFA SMS enrollment prompt | GET |
20 | 10/minute | From an IP Address |
MFA SMS enrollment prompt | POST |
10 | 5/minute | From an IP Address |
MFA SMS enrollment verify prompt | GET |
20 | 10/minute | From an IP Address |
MFA SMS enrollment verify prompt | POST |
10 | 5/minute | From an IP Address |
Passwordless SMS challenge prompt | GET , POST |
5 | 5/minute | From an IP Address |
Passwordless email challenge prompt | GET , POST |
5 | 5/minute | From an IP Address |
Phone verification enrollment prompt | GET , POST |
5 | 5/minute | From an IP Address |
Phone verification challenge prompt | GET , POST |
5 | 5/minute | From an IP Address |
Device code prompt | GET , POST |
5 | 5/second | From an IP Address |
Additional MFA rate limits.
Endpoint | Burst Request Limit | Sustained Request Limit | Limit Type | Limit |
---|---|---|---|---|
OTP (6 numeric digits) failures | 10 | 10 | per hour | To a unique User ID |
Recovery code failures | 10 | 10 | per hour | To a unique User ID |
Webauthn challenge failures | 15 | 15 | per minute | To a unique User ID |
Webauthn challenge generated | 15 | 15 | per minute | To a unique User ID |
Push notifications sent per user | 5 | 5 | per minute | To a unique User ID |
SMS sent per user | 10 | 1 | per hour | To a unique User ID |
Email sent per user | 20 | 1 | per minute | To a unique User ID |