Authentication API: Rate limits for the Authentication API and API endpoints in the Enterprise subscription type.
Authentication API: Rate limits for the Authentication API and API endpoints in the Enterprise subscription type.
| Tenant | Burst Request Limit | Sustained Request Limit | 
|---|---|---|
| Production | 100/second | 100/second | 
| Production (2x Public Performance Burst) | 200/second for 48/hrs per month | 100/second | 
| Production (3x Public Performance Burst) | 300/second for 48/hrs per month | 100/second | 
| Production (4x Public Performance Burst) | 400/second for 48/hrs per month | 100/second | 
| Non-production | 100/second | 100/second | 
| Endpoint | Method | Burst Request Limit | Sustained Request Limit | Limit Type | 
|---|---|---|---|---|
| User Info | GET,POST | 10 | 5/minute | To a unique User ID | 
| Change Password Reset Password with Universal Login | POST | 10 | 1/minute | From an IP Address to a unique Email Address | 
| Get Passwordless Code or Link | GET,POST | 50 | 50/hour | From an IP Address | 
| Native Social Login (Apple / Facebook Only) | POST | 50 | 500/minute | Any Request for Apple or Facebook Native Social Login | 
| Dynamic Application (Client) Registration | POST | 5 | 5/second | Any request | 
| Universal Logout | POST | 35 | 35/second | Any request | 
| Pushed Authorization Requests (PAR) | POST | 100 | 100/second | From an IP Address | 
| Back-Channel authorize (CIBA) | POST | 500 | 500/minute | From an IP Address | 
| Device code activation (no prompt) | POST | 30 | 6/second | From an IP Address | 
| Device code authorization | POST | 5 | 5/second | From an IP Address | 
| MFA OOB token exchange | POST | 12 | 12/minute | To a unique session | 
Management API: Rate limits for the Management API, API endpoints, and API endpoint groups in the Enterprise subscription type.
Management API: Rate limits for the Management API, API endpoints, and API endpoint groups in the Enterprise subscription type.
| Tenant Environment | Burst Request Limit | Sustained Request Limit | 
|---|---|---|
| Production | 50 | 16/second | 
| Non-production | 10 | 2/second | 
| Endpoint | Method | Burst Request Limit | Sustained Request Limit | Limit Type | 
|---|---|---|---|---|
| Read Organizations by Name | GET | 20 | 200/minute | Any request | 
| Write Organizations | POST,PATCH,DELETE | 5 | 150/minute | Any request | 
| Read Organization Members | GET | 40 | 500/minute | Any request | 
| Write Organization Members | POST,DELETE | 20 | 200/minute | Any request | 
| Read Organization invitation | GET | 20 | 200/minute | Any request | 
| Read Organization Member Roles | GET | 20 | 200/minute | Any request | 
| Write Organization Member Roles | POST,DELETE | 20 | 200/minute | Any request | 
| Read Organization Connections | GET | 10 | 100/minute | Any request | 
| Write Organization Connections | POST,PATCH,DELETE | 5 | 150/minute | Any request | 
| Write Custom Domains | POST | 5 | 5/minute | Any request | 
| Read Status Connection | GET | 100 | 15/second | Any request | 
| Write Signing Keys | POST | 5 | 5/day | Any request | 
| Read Partials for a Prompt | GET | 5 | 5/minute | Any request | 
| Write Partials for a Prompt | PUT | 5 | 5/minute | Any request | 
| Read Clients 
 | GET | 5 | 150/minute | Any request | 
| Read Organization Client Grants | GET | 10 | 100/minute | Any request | 
| Write Organization Client Grants | POST | 5 | 150/minute | Any request | 
| Write email templates | POST,PATCH,DELETE | 10 | 100/minute | Any request | 
| Read email templates | GET | 15 | 150/minute | Any request | 
| Write email provider | POST,PATCH,DELETE | 10 | 100/minute | Any request | 
| Read email provider | GET | 15 | 150/minute | Any request | 
SCIM API: Rate limits for the inbound SCIM API endpoints in Public cloud subscriptions that include Enterprise connections.
SCIM API: Rate limits for the inbound SCIM API endpoints in Public cloud subscriptions that include Enterprise connections.
| Limit Type | Endpoint Path | Operation | Limit | 
|---|---|---|---|
| Single SCIM connection endpoint | /scim/v2/connections/{connection-id} | Any request | 25 requests per second | 
| Global tenant limit for all SCIM connections | /scim/v2/connections/* | Any request | 100 requests per second | 
Universal Login Flow Endpoints: Rate limits for the endpoints utilized for the Universal Login Authentication Flow for all subscription types.
Universal Login Flow Endpoints: Rate limits for the endpoints utilized for the Universal Login Authentication Flow for all subscription types.
| Endpoint | Method | Burst Request Limit | Sustained Request Limit | Limit Type | 
|---|---|---|---|---|
| Universal login prompts (global) | GET,POST | 500 | 500/minute | From an IP Address | 
| Universal login prompts (per prompt) | GET | 20 | 10/minute | From an IP Address and state value. | 
| Universal login prompts (per prompt) | POST | 10 | 5/minute | From an IP Address | 
| Password reset prompt | GET | 500 | 500/minute | From an IP Address | 
| MFA push enrollment prompt | GET,POST | 500 | 500/minute | From an IP Address | 
| MFA push challenge prompt | GET,POST | 500 | 500/minute | From an IP Address | 
| MFA SMS enrollment prompt | GET | 20 | 10/minute | From an IP Address | 
| MFA SMS enrollment prompt | POST | 10 | 5/minute | From an IP Address | 
| MFA SMS enrollment verify prompt | GET | 20 | 10/minute | From an IP Address | 
| MFA SMS enrollment verify prompt | POST | 10 | 5/minute | From an IP Address | 
| Passwordless SMS challenge prompt | GET,POST | 5 | 5/minute | From an IP Address | 
| Passwordless email challenge prompt | GET,POST | 5 | 5/minute | From an IP Address | 
| Phone verification enrollment prompt | GET,POST | 5 | 5/minute | From an IP Address | 
| Phone verification challenge prompt | GET,POST | 5 | 5/minute | From an IP Address | 
| Device code prompt | GET,POST | 5 | 5/second | From an IP Address | 
Additional MFA rate limits: Additional MFA rate limits.
Additional MFA rate limits: Additional MFA rate limits.
| Endpoint | Burst Request Limit | Sustained Request Limit | Limit Type | Limit | 
|---|---|---|---|---|
| OTP (6 numeric digits) failures | 10 | 10 | per hour | To a unique User ID | 
| Recovery code failures | 10 | 10 | per hour | To a unique User ID | 
| Webauthn challenge failures | 15 | 15 | per minute | To a unique User ID | 
| Webauthn challenge generated | 15 | 15 | per minute | To a unique User ID | 
| Push notifications sent per user | 5 | 5 | per minute | To a unique User ID | 
| SMS sent per user | 10 | 1 | per hour | To a unique User ID | 
| Email sent per user | 20 | 1 | per minute | To a unique User ID |