See below for the rate limits in the Private Cloud Performance 10,000 RPS (100x) subscription type. Therefore, we recommend deploying one tenant per private cloud environment for risk mitigation.
APIBurst Request LimitSustained Request LimitPeak Request Limit
Authentication API10,00010,000/secondN/A
EndpointMethodBurst Request LimitSustained Request LimitLimit Type
User InfoGET, POST105/minuteTo a unique User ID
Change Password

Reset Password with Universal Login		POST101/minuteFrom an IP Address to a unique Email Address
Get Passwordless Code or LinkGET, POST5050/hourFrom an IP Address
Native Social Login (Apple / Facebook Only)POST50500/minuteAny Request for Apple or Facebook Native Social Login
Dynamic Application (Client) RegistrationPOST55/secondAny request
Universal LogoutPOST25002500/secondAny request
Pushed Authorization Requests (PAR)POST100100/secondFrom an IP Address
Back-Channel authorize (CIBA)POST500500/minuteFrom an IP Address
Device code activation (no prompt)POST306/secondFrom an IP Address
Device code authorizationPOST55/secondFrom an IP Address
MFA OOB token exchangePOST1212/minuteTo a unique session
*Represents the default limit. You can configure the Signup endpoint limit in Auth0 Dashboard. To learn more, read Suspicious IP Throttling.
APIBurst Request LimitSustained Request Limit
Management API50005000/second
EndpointMethodBurst Request LimitSustained Request LimitLimit Type
Read OrganizationsGET1,00010,000/minuteAny request
Read Organizations by IDGET4,00050,000/minuteAny request
Read Organizations by NameGET2,00020,000/minuteAny request
Write an OrganizationPOST, PATCH, DELETE50015,000/minuteAny request
Read Organization MembersGET4,80060,000/minuteAny request
Write Organization MembersPOST, DELETE2,40024,000/minuteAny request
Read Members of an OrganizationGET2,40024,000/minuteAny request
Read Organization Member RolesGET2,40024,000/minuteAny request
Write Organization Member RolesPOST, DELETE2,40024,000/minuteAny request
Read Organization ConnectionsGET1,20012,000/minuteAny request
Write Organization ConnectionsPOST, PATCH, DELETE60018,000/minuteAny request
Write Custom DomainPOST55/minuteAny request
Write Status ConnectionPOST10015/secondAny request
Write Signing KeysPOST55/dayAny request
EndpointMethodBurst Request LimitSustained Request LimitLimit Type
Universal login prompts (global)GET, POST500500/minuteFrom an IP Address
Universal login prompts (per prompt)GET2010/minuteFrom an IP Address and state value.
Universal login prompts (per prompt)POST105/minuteFrom an IP Address
Password reset promptGET500500/minuteFrom an IP Address
MFA push enrollment promptGET, POST500500/minuteFrom an IP Address
MFA push challenge promptGET, POST500500/minuteFrom an IP Address
MFA SMS enrollment promptGET2010/minuteFrom an IP Address
MFA SMS enrollment promptPOST105/minuteFrom an IP Address
MFA SMS enrollment verify promptGET2010/minuteFrom an IP Address
MFA SMS enrollment verify promptPOST105/minuteFrom an IP Address
Passwordless SMS challenge promptGET, POST55/minuteFrom an IP Address
Passwordless email challenge promptGET, POST55/minuteFrom an IP Address
Phone verification enrollment promptGET, POST55/minuteFrom an IP Address
Phone verification challenge promptGET, POST55/minuteFrom an IP Address
Device code promptGET, POST55/secondFrom an IP Address
EndpointBurst Request LimitSustained Request LimitLimit TypeLimit
OTP (6 numeric digits) failures1010per hourTo a unique User ID
Recovery code failures1010per hourTo a unique User ID
Webauthn challenge failures1515per minuteTo a unique User ID
Webauthn challenge generated1515per minuteTo a unique User ID
Push notifications sent per user55per minuteTo a unique User ID
SMS sent per user101per hourTo a unique User ID
Email sent per user201per minuteTo a unique User ID