[DO NOT MERGE] Rate limits #1
Conversation
| The rate limits for this API differ depending on whether your tenant is free or paid. | ||
|
|
||
| ::: note | ||
| For all __free tenants__, Authentication API usage is restricted to 300 requests per minute. Note that the limit is set by tenant and not by endpoint. |
There was a problem hiding this comment.
Would we link to the "long" page from here?
There was a problem hiding this comment.
If we decide to use both (my particular preference) then yes.
| useCase: | ||
| - support | ||
| --- | ||
| # Authentication API: Global Rate Limit Policy |
There was a problem hiding this comment.
I can't find the document right now but I seem to remember reading (and talking to others) about how our SLA covers the Authentication API only.
So we may want to be careful about calling these sets of endpoints the Authentication API as that might cause confusion if we use a different definition here than elsewhere.
There was a problem hiding this comment.
How would you call them?
There was a problem hiding this comment.
Firstly, I'm not 100% sure having "Authentication API" in there is a problem, just raising it here for discussion.
What if the short paragraph below was called "Free Tenants Global Rate Limit Policy" and at the same level as https://auth0.com/docs/policies/rate-limits#endpoints-with-rate-limits?
Then this could just be the "Free Tenants Global Rate Limit Policy" details page.
articles/policies/global-limit.md
Outdated
| # Authentication API: Global Rate Limit Policy | ||
| To ensure the quality of Auth0's services, the Authentication API is subject to several levels of rate limiting. | ||
|
|
||
| This document describes the global rate limiting policy applicable to __free tenants__. Please visit [Rate limits](policies/rate-limits) for more information on other applicable limits. |
articles/policies/global-limit.md
Outdated
| It is important to consider that the limit is set globally by tenant and not by endpoint. | ||
|
|
||
| ### Affected endpoints | ||
| The global rate limit applies to all the [Authentication API](/api/authentication) endpoints, below you will find a complete list of endpoints that are affected by this limit and the associated response in case the rate limit is exceeded. |
There was a problem hiding this comment.
The global rate limit applies to all the Authentication API endpoints. Below you will find a complete list of endpoints that are affected by this limit and the associated response if you exceed the rate limit.
articles/policies/global-limit.md
Outdated
| `GET /v2/logout` | [Error Page](#error-page) | ||
|
|
||
| ## Exceeding the Rate Limit | ||
| If you exceed the provided rate limit for a given API endpoint, you will receive a response with [HTTP Status Code 429 (Too Many Requests)](http://tools.ietf.org/html/rfc6585#section-4) except for the cases documented above. The response will also contain the [HTTP Response Headers](policies/rate-limits#http-response-headers) which you can refer to for more information on the rate limits applicable to that endpoint. |
There was a problem hiding this comment.
If you exceed the rate limit for a given API endpoint, you'll receive an HTTP 429 (Too Many Requests) response (except for the cases documented in the section immediately above. The response will also contain HTTP Response Headers that provide additional information on the rate limits applicable to that endpoint.
articles/policies/global-limit.md
Outdated
| If you exceed the provided rate limit for a given API endpoint, you will receive a response with [HTTP Status Code 429 (Too Many Requests)](http://tools.ietf.org/html/rfc6585#section-4) except for the cases documented above. The response will also contain the [HTTP Response Headers](policies/rate-limits#http-response-headers) which you can refer to for more information on the rate limits applicable to that endpoint. | ||
|
|
||
| ### Response body | ||
| The response body depends on the endpoint and, in particular, the response the endpoint was meant to render originally. For example, if the response was meant to render JSON, then a JSON error response will be sent. |
There was a problem hiding this comment.
The response body you receive depends on the endpoint itself, as well as the response the endpoint was meant to send originally. For example, if the original response expected was JSON, then a JSON error response will be sent if there are any issues.
The following sections provide additional information about the errors possible.
articles/policies/global-limit.md
Outdated
| The particular response per endpoint is stated in [Affected endpoints](#affected-endpoints) section, below you will find a description for each case. | ||
|
|
||
| #### Error Page | ||
| This response is sent for endpoints that render HTML content to the end user. When the rate limit is exceeded the [Error Page](https://auth0.com/docs/universal-login/custom-error-pages) will be rendered instead of the usual content. |
There was a problem hiding this comment.
The Error Page response is sent for endpoints that render HTML content to the end user. When you exceed the rate limit, Auth0 renders the Error Page instead of the expected content.
| - `fed:BadRequest` will be sent for WSFED-related endpoints. | ||
| - `wst:RequestFailed` will be used in for WSTrust-related endpoints. | ||
|
|
||
| ```xml |
There was a problem hiding this comment.
Again, maybe move the sample to follow the first sentence of this section?
articles/policies/global-limit.md
Outdated
| </env:Envelope> | ||
| ``` | ||
|
|
||
| ## FAQ |
There was a problem hiding this comment.
We try to avoid FAQ sections, so let's turn these into headers and move them to near the top of the page:
Exceeding the rate limit
For every hour that you exceed the global rate limit, Auth0 will write the following to your logs: You have reached the global limit for your account.
You can search for the log entries using the Dashboard.
Reducing the number of calls to Auth0
When you exceed your rate limits, you'll need to reduce the number of calls you make to Auth0. The specifics of what you need to do depends on your use case, but here are some recommendations with which to begin:
- Cache
/.well-known/*information: this information does not change frequently, so you can usually cache it to reduce the number of times you need to call Auth0- Consider requesting an
id_tokeninstead of calling/userinfoto get information about the user
articles/policies/rate-limits.md
Outdated
| ### Authentication API | ||
|
|
||
| The following Auth0 Authentication API endpoints return rate limit-related headers. | ||
| The rate limits for this API differ depending on whether your tenant is free or paid. |
There was a problem hiding this comment.
The rate limits for the Authentication API differ depending on whether you have a free or a paid tenant.
articles/policies/rate-limits.md
Outdated
| ::: note | ||
| For all __free tenants__, Authentication API usage is restricted to 300 requests per minute. Note that the limit is set by tenant and not by endpoint. | ||
|
|
||
| The tenants that have no credit card associated in the [Dashboard](${manage_url}/#/tenant/billing/payment) are free except for tenants associated to an enterprise subscription. |
There was a problem hiding this comment.
The tenants that have no credit card information associated in the Dashboard are considered to be free tenants (excepting tenants associated with an enterprise subscription).
articles/policies/rate-limits.md
Outdated
| <tr> | ||
| <td>(any request)</td> | ||
| <td>Free (*)</td> | ||
| <td>200 requests per minute</td> |
|
@khorne3 applied your feedback, moved the faq inside |
3 participants
Global rate limits WIP