On this page
Authentication/End-user rate limits
This page provides the API rate limits for authentication and end user activities. To learn more about rate limits, see the Overview and Best practices pages.
- In addition to the rate limit per API, Okta implements limits on concurrent requests, Okta-generated emails, end user requests, and home page endpoints. These limits are described on the Additional limits page.
- DynamicScale rate limits apply to various endpoints across different APIs for customers who purchased this add-on. (The DynamicScale add-on service is only available to Customer Identity Solutions (CIS) customers.)
- You can expand Okta rate limits upon request. To learn how, see Request exceptions and DynamicScale rate limits.
See the following list of per-minute limits. If an endpoint isn't in this list, you can review it using the Admin Console, in the rate limit dashboard's APIs table. See APIs table.
| Action and Okta API endpoint | Developer (free) | Developer (paid) | One App | Enterprise | Workforce identity |
|---|---|---|---|---|---|
Authenticate different end users:/api/v1/authnEligible for dynamic scale and workforce multiplier | 100 | 600 | 600 | 600 | 500 |
Verify a factor:/api/v1/authn/factors/{factorIdOrFactorType}/verify onlyEligible for dynamic scale and workforce multiplier | 100 | 600 | 600 | 600 | 500 |
Get session information:/api/v1/sessionsEligible for dynamic scale and workforce multiplier | 100 | 600 | 600 | 600 | 750 |
OAuth2 requests for Custom Authorization Servers:/oauth2/{authorizationServerId}/v1 except /oauth2/{authorizationServerId}/v1/authorize, /oauth2/{authorizationServerId}/v1/token, and public metadata endpoints (see Endpoints without rate limiting)Eligible for dynamic scale and workforce multiplier | 300 | 1,200 | 1,200 | 1,200 | 2,000 |
/oauth2/{authorizationServerId}/v1/authorizeEligible for dynamic scale and workforce multiplier | 300 | 1200 | 1200 | 1200 | 2000 |
/oauth2/{authorizationServerId}/v1/tokenEligible for dynamic scale and workforce multiplier | 300 | 1200 | 1200 | 1200 | 2000 |
OAuth2 requests for the Org Authorization Server:/oauth2/v1 except /oauth2/v1/clients, /oauth2/v1/authorize, /oauth2/v1/token, and public metadata endpoints (see Endpoints without rate limiting)Eligible for dynamic scale and workforce multiplier | 300 | 1,200 | 1,200 | 1,200 | 2,000 |
/oauth2/v1/authorizeEligible for dynamic scale and workforce multiplier | 300 | 1200 | 1200 | 1200 | 2000 |
/oauth2/v1/tokenEligible for dynamic scale and workforce multiplier | 300 | 1200 | 1200 | 1200 | 2000 |
All other OAuth2 requests:/oauth2 | 100 | 600 | 600 | 600 | 600 |
/app/{app}/{key}/sso/samlEligible for dynamic scale and workforce multiplier | 100 | 600 | 600 | 600 | 750 |
/app/office365{appType}/{key}/sso/wsfed/activeEligible for workforce multiplier | N/A | N/A | N/A | 2,000 | 1,000 |
/app/office365{appType}/{key}/sso/wsfed/passiveEligible for workforce multiplier | N/A | N/A | N/A | 250 | 250 |
/app/template_saml_2_0/{key}/sso/samlEligible for dynamic scale and workforce multiplier | 100 | 600 | 600 | 600 | 2,500 |
/login/login.htmEligible for dynamic scale and workforce multiplier | 200 | 1200 | 1200 | 1200 | 1200 |
/login/sso_iwa_authEligible for workforce multiplier | 100 | 600 | 600 | 600 | 500 |
/api/{apiVersion}/radiusEligible for workforce multiplier | 100 | 600 | 600 | 600 | 600 |
/login/token/redirectEligible for dynamic scale and workforce multiplier | 100 | 600 | 600 | 600 | 600 |
|
Identity Engine
Identity Engine APIs: Identity Engine rate limits are configured to support 1000 Identity Engine authentication flows per minute. Depending on the authentication flow, some endpoint limits may differ. | |||||
/idp/idx | 100 | 1000 | 1000 | 1000 | 1000 |
/idp/idx/identifyEligible for dynamic scale and workforce multiplier | 100 | 1000 | 1000 | 1000 | 1000 |
/idp/idx/introspectEligible for dynamic scale and workforce multiplier | 200 | 2000 | 2000 | 2000 | 2000 |
| Identity Engine App intent Eligible for dynamic scale and workforce multiplier | 200 | 2000 | 2000 | 2000 | 2000 |
Endpoints without rate limiting
The following public metadata endpoints aren't subjected to rate limits.
Public metadata endpoints for the Org Authorization Server are:
/oauth2/v1/keys/.well-known/openid-configuration/.well-known/oauth-authorization-server
Public metadata endpoints for the Custom Authorization Servers are:
/oauth2/{authorizationServerId}/v1/keys/oauth2/{authorizationServerId}/.well-known/openid-configuration/oauth2/{authorizationServerId}/.well-known/oauth-authorization-server