On This Page

Rate limits overview

To protect the service for all customers, Okta APIs are subject to rate limiting. These limits mitigate denial-of-service attacks and abusive actions such as rapidly updating configurations, aggressive polling and concurrency, or excessive API calls.

The Okta API rate limits are divided into three categories: authentication/end user, management, and other endpoints. Each category has APIs with rate limits that are enforced individually as well as a cumulative rate limit. The rate limits vary by service subscription (opens new window).

API rate limit categories and cumulative rate limits

To access the individual API limits, visit a category page by clicking the appropriate category link in the table.

We enforce the following per-minute limits.

Category Developer (free) Developer (paid) One App Enterprise Workforce Identity
Authentication/End user 2,100 13,000 13,000 13,000 18,250
Management 980 5,200 5,200 5,200 7,000
Other endpoints 1,000 6,000 6,000 6,000 10,000

If any org-wide rate limit is exceeded, an HTTP 429 status code is returned. You can anticipate hitting the rate limit by checking Okta's rate limiting headers. Additionally, if you have a One App or Enterprise organization, the Admin Console displays a banner, and you are sent an email notification when your org approaches its rate limit.


  • In addition to the rate limit per API, Okta implements limits on concurrent requests, Okta-generated email messages, end user requests, and home page endpoints. These limits are described on the Additional limits page.
  • DynamicScale rate limits apply to a variety of endpoints across different APIs for customers that purchased this add-on.
  • Rate limits may be changed to protect customers. We provide advance warning of changes when possible.
  • You can expand the Okta rate limits upon request. To learn how, see Request exceptions and DynamicScale rate limits.

Other applicable rate limit content

  • Rate limit dashboard: The rate limit dashboard helps you understand the rate limit and current use of an API. The dashboard provides you with the ability to track the API's use and to notify you with alerts when the API is about to hit or has hit the rate limit. You can also use the multiple views of data use on the dashboard to investigate high usage or rate limit violations.

  • Concurrent rate limits: To protect the service for all customers, Okta enforces concurrent rate limits, which is a limit on the number of simultaneous transactions. Concurrent rate limits are distinct from the org-wide, per-minute API rate limits, which measure the total number of transactions per minute. Transactions are typically very short-lived. Even very large bulk loads rarely use more than 10 simultaneous transactions at a time.

  • Client-based rate limits: To provide granular isolation, client-based rate limiting uses a combination of the client ID/IP address/device identifier for requests made to the OAuth 2.0 /authorize endpoint or the IP address/device identifier for requests made to the /login/login.htm endpoint. This framework isolates OAuth 2.0 clients that are generating unexpected traffic, thereby it ensures valid users and applications don't run into rate limit violations.

  • DynamicScale rate limits: If your needs exceed Okta's default rate limits for the base product subscriptions (One App or Enterprise) that you've already purchased, the DynamicScale add-on service grants you higher limits for a variety of endpoints across different APIs.

  • End-user rate limits: Okta limits the number of requests from the Admin Console and End-User Dashboard to 40 requests per user per 10 seconds per endpoint. This rate limit protects users from each other and from other API requests in the system.

  • Home page endpoints and per-minute limits: These endpoints are used by the Okta home page for authentication and user sign in and have org-wide rate limits.

  • Okta API endpoints and per-user limits: API endpoints that take username and password credentials, including the Authentication API and the OAuth 2.0 resource owner password flow, have a per-username rate limit to prevent brute force attacks with the user's password. SMS and Call factor endpoints also have a per-username rate limit.

  • Okta-generated email message rate limits: These rate limits vary by email type. Okta enforces rate limits on the number of Okta-generated email messages that are sent to customers and customer users. For example, if the number of emails sent to a given user exceeds the per-minute limit for a given email type, subsequent emails of that type are dropped for that user until that minute elapses.