On this page

    Authentication/End-user rate limits

    This page provides the API rate limits for authentication and end-user activities, which is part of Okta rate limits. To learn more about rate limits, visit our Overview and Best practices pages.

    • In addition to the rate limit per API, Okta implements limits on concurrent requests, Okta-generated email messages, end user requests, and home page endpoints. These limits are described on the Additional limits page.
    • DynamicScale rate limits apply to a variety of endpoints across different APIs for customers that purchased this add-on.
    • You can expand Okta rate limits upon request. To learn how, see Request exceptions and DynamicScale rate limits.

    See the following list of per-minute limits. If an endpoint is not in this list, you can review it using the Admin Console, in the rate limit dashboard's APIs table. See APIs table.

    Action and Okta API Endpoint Developer (free) Developer (paid) One App Enterprise Workforce Identity
    Cumulative rate limit 2,100 13,000 13,000 13,000 18,250
    Authenticate different end users:
    /api/v1/authn
    Eligible for dynamic scale and workforce multiplier    		 100 600 600 600 500
    Verify a factor:
    /api/v1/authn/factors/${factorIdOrFactorType}/verify only
    Eligible for dynamic scale and workforce multiplier    		 100 600 600 600 500
    Get session information:
    /api/v1/sessions
    Eligible for dynamic scale and workforce multiplier    		 100 600 600 600 750
    OAuth2 requests for Custom Authorization Servers:
    /oauth2/${authorizationServerId}/v1 except /oauth2/${authorizationServerId}/v1/authorize, /oauth2/${authorizationServerId}/v1/token, and public metadata endpoints (see Endpoints without rate limiting)
    Eligible for dynamic scale and workforce multiplier    		 300 1,200 1,200 1,200 2,000
    /oauth2/${authorizationServerId}/v1/authorize
    Eligible for dynamic scale and workforce multiplier    		 300 1200 1200 1200 2000
    /oauth2/${authorizationServerId}/v1/token
    Eligible for dynamic scale and workforce multiplier    		 300 1200 1200 1200 2000
    OAuth2 requests for the Org Authorization Server:
    /oauth2/v1 except /oauth2/v1/clients, /oauth2/v1/authorize, /oauth2/v1/token, and public metadata endpoints (see Endpoints without rate limiting)
    Eligible for dynamic scale and workforce multiplier    		 300 1,200 1,200 1,200 2,000
    /oauth2/v1/authorize
    Eligible for dynamic scale and workforce multiplier    		 300 1200 1200 1200 2000
    /oauth2/v1/token
    Eligible for dynamic scale and workforce multiplier    		 300 1200 1200 1200 2000
    All other OAuth2 requests:
    /oauth2    		 100 600 600 600 600
    /app/${app}/${key}/sso/saml
    Eligible for dynamic scale and workforce multiplier    		 100 600 600 600 750
    /app/office365${appType}/${key}/sso/wsfed/active
    Eligible for workforce multiplier    		 N/A N/A N/A 2,000 1,000
    /app/office365${appType}/${key}/sso/wsfed/passive
    Eligible for workforce multiplier    		 N/A N/A N/A 250 250
    /app/template_saml_2_0/${key}/sso/saml
    Eligible for dynamic scale and workforce multiplier    		 100 600 600 600 2,500
    /login/login.htm
    Eligible for dynamic scale and workforce multiplier    		 200 1200 1200 1200 1200
    /login/sso_iwa_auth
    Eligible for workforce multiplier    		 100 600 600 600 500
    /api/${apiVersion}/radius
    Eligible for workforce multiplier    		 100 600 600 600 600
    /login/token/redirect
    Eligible for dynamic scale and workforce multiplier    		 100 600 600 600 600
    Identity Engine Identity Engine APIs:
    Identity Engine rate limits are configured to support 1000 Identity Engine authentication flows per minute. That is, depending on authentication flows, some endpoint limits may differ.
    /idp/idx 100 1000 1000 1000 1000
    /idp/idx/identify
    Eligible for dynamic scale and workforce multiplier    		 100 1000 1000 1000 1000
    /idp/idx/introspect
    Eligible for dynamic scale and workforce multiplier    		 200 2000 2000 2000 2000
    Identity Engine App Intent
    Eligible for dynamic scale and workforce multiplier    		 200 2000 2000 2000 2000

    Endpoints without rate limiting

    The following public metadata endpoints aren't subjected to rate limiting.

    Public metadata endpoints for the Org Authorization Server are:

    • /oauth2/v1/keys
    • /.well-known/openid-configuration
    • /.well-known/oauth-authorization-server

    Public metadata endpoints for the Custom Authorization Servers are:

    • /oauth2/${authorizationServerId}/v1/keys
    • /oauth2/${authorizationServerId}/.well-known/openid-configuration
    • /oauth2/${authorizationServerId}/.well-known/oauth-authorization-server
    Edit This Page On GitHub