Authentication API: Rate limits for the Authentication API and API endpoints n the Private Cloud Basic 100 RPS (1x) subscription tier.
Authentication API: Rate limits for the Authentication API and API endpoints n the Private Cloud Basic 100 RPS (1x) subscription tier.
| API | Burst Request Limit | Sustained Request Limit |
|---|---|---|
| Authentication API | 100 | 100/second |
| Endpoint | Method | Burst Request Limit | Sustained Request Limit | Limit Type |
|---|---|---|---|---|
| User Info | GET, POST | 10 | 5/minute | To a unique User ID |
| Change Password Reset Password with Universal Login | POST | 10 | 1/minute | From an IP Address to a unique Email Address |
| Get Passwordless Code or Link | GET, POST | 50 | 50/hour | From an IP Address |
| Native Social Login (Apple / Facebook Only) | POST | 50 | 500/minute | Any Request for Apple or Facebook Native Social Login |
| Dynamic Application (Client) Registration | POST | 5 | 5/second | Any request |
| Universal Logout | POST | 35 | 35/second | Any request |
| Pushed Authorization Requests (PAR) | POST | 100 | 100/second | From an IP Address |
| Back-Channel authorize (CIBA) | POST | 500 | 500/minute | From an IP Address |
| Device code activation (no prompt) | POST | 30 | 6/second | From an IP Address |
| Device code authorization | POST | 5 | 5/second | From an IP Address |
| MFA OOB token exchange | POST | 12 | 12/minute | To a unique session |
Management API: Rate limits for the Management API, API endpoints, and API endpoint groups in the Private Cloud Basic 100 RPS (1x) subscription.
Management API: Rate limits for the Management API, API endpoints, and API endpoint groups in the Private Cloud Basic 100 RPS (1x) subscription.
| API | Burst Request Limit | Sustained Request Limit |
|---|---|---|
| Management API | 50 | 50/second |
| Endpoint | Method | Burst Request Limit | Sustained Request Limit | Limit Type |
|---|---|---|---|---|
| Read Organizations | GET | 10 | 100/minute | Any request |
| Read Organizations by ID | GET | 40 | 500/minute | Any request |
| Read Organizations by Name | GET | 20 | 200/minute | Any request |
| Write an Organization | POST, PATCH, DELETE | 5 | 150/minute | Any request |
| Read Organization Members | GET | 40 | 500/minute | Any request |
| Write Organization Members | POST, DELETE | 20 | 200/minute | Any request |
| Read Members of an Organization | GET | 20 | 200/minute | Any request |
| Read Organization Member Roles | GET | 20 | 200/minute | Any request |
| Write Organization Member Roles | POST, DELETE | 20 | 200/minute | Any request |
| Write Organization Connections | POST, PATCH, DELETE | 5 | 150/minute | Any request |
| Write Custom Domain | POST | 5 | 5/minute | Any request |
| Read Status Connection | GET | 100 | 15/second | Any request |
| Write Signing Keys | POST | 5 | 5/day | Any request |
| Read Partials for a Prompt | GET | 5 | 5/minute | Any request |
| Write Partials for a Prompt | PUT | 5 | 5/minute | Any request |
| Read Clients
| GET | 5 | 150/minute | Any request |
| Read Organization Client Grants | GET | 10 | 100/minute | Any request |
| Write Organization Client Grants | POST | 5 | 150/minute | Any request |
SCIM API: Rate limits for the inbound SCIM API endpoints in the Private Cloud Basic 100 RPS (1x) subscription type.
SCIM API: Rate limits for the inbound SCIM API endpoints in the Private Cloud Basic 100 RPS (1x) subscription type.
| Limit Type | Endpoint Path | Operation | Limit |
|---|---|---|---|
| Single SCIM connection endpoint | /scim/v2/connections/{connection-id} | Any request | 25 requests per second |
| Global tenant limit for all SCIM connections | /scim/v2/connections/* | Any request | 100 requests per second |
Universal Login Flow Endpoints: Rate limits for the endpoints utilized for the Universal Login Authentication Flow for all subscription types.
Universal Login Flow Endpoints: Rate limits for the endpoints utilized for the Universal Login Authentication Flow for all subscription types.
| Endpoint | Method | Burst Request Limit | Sustained Request Limit | Limit Type |
|---|---|---|---|---|
| Universal login prompts (global) | GET, POST | 500 | 500/minute | From an IP Address |
| Universal login prompts (per prompt) | GET | 20 | 10/minute | From an IP Address and state value. |
| Universal login prompts (per prompt) | POST | 10 | 5/minute | From an IP Address |
| Password reset prompt | GET | 500 | 500/minute | From an IP Address |
| MFA push enrollment prompt | GET, POST | 500 | 500/minute | From an IP Address |
| MFA push challenge prompt | GET, POST | 500 | 500/minute | From an IP Address |
| MFA SMS enrollment prompt | GET | 20 | 10/minute | From an IP Address |
| MFA SMS enrollment prompt | POST | 10 | 5/minute | From an IP Address |
| MFA SMS enrollment verify prompt | GET | 20 | 10/minute | From an IP Address |
| MFA SMS enrollment verify prompt | POST | 10 | 5/minute | From an IP Address |
| Passwordless SMS challenge prompt | GET, POST | 5 | 5/minute | From an IP Address |
| Passwordless email challenge prompt | GET, POST | 5 | 5/minute | From an IP Address |
| Phone verification enrollment prompt | GET, POST | 5 | 5/minute | From an IP Address |
| Phone verification challenge prompt | GET, POST | 5 | 5/minute | From an IP Address |
| Device code prompt | GET, POST | 5 | 5/second | From an IP Address |
Additional MFA rate limits: Additional MFA rate limits.
Additional MFA rate limits: Additional MFA rate limits.
| Endpoint | Burst Request Limit | Sustained Request Limit | Limit Type | Limit |
|---|---|---|---|---|
| OTP (6 numeric digits) failures | 10 | 10 | per hour | To a unique User ID |
| Recovery code failures | 10 | 10 | per hour | To a unique User ID |
| Webauthn challenge failures | 15 | 15 | per minute | To a unique User ID |
| Webauthn challenge generated | 15 | 15 | per minute | To a unique User ID |
| Push notifications sent per user | 5 | 5 | per minute | To a unique User ID |
| SMS sent per user | 10 | 1 | per hour | To a unique User ID |
| Email sent per user | 20 | 1 | per minute | To a unique User ID |