Authentication/End-user rate limits

This page provides the API rate limits for authentication and end-user activities, which is part of Okta rate limits.

Note:

  • In addition to the rate limit per API, Okta implements limits on concurrent requests, Okta-generated email messages, end user requests, and home page endpoints. These limits are described on the Additional limits page.
  • DynamicScale rate limits apply to a variety of endpoints across different APIs for customers that purchased this add-on.
  • You can expand Okta rate limits upon request. To learn how, see Request exceptions and DynamicScale rate limits.

We enforce the following per-minute limits.

Action and Okta API Endpoint Developer (free) Developer (paid) One App Enterprise Workforce Identity
Cumulative rate limit 2,100 13,000 13,000 13,000 18,250
Authenticate different end users:
/api/v1/authn
Eligible for dynamic scale and workforce multiplier
100 600 600 600 500
Verify a factor:
/api/v1/authn/factors/${factorIdOrFactorType}/verify only
Eligible for dynamic scale and workforce multiplier
100 600 600 600 500
Get session information:
/api/v1/sessions
Eligible for dynamic scale and workforce multiplier
100 600 600 600 750
OAuth2 requests for Custom Authorization Servers:
/oauth2/${authorizationServerId}/v1 except /oauth2/${authorizationServerId}/v1/authorize and public metadata endpoints (see the Note below)
Eligible for dynamic scale and workforce multiplier
300 1,200 1,200 1,200 2,000
/oauth2/${authorizationServerId}/v1/authorize
Eligible for dynamic scale and workforce multiplier
300 1200 1200 1200 2000
OAuth2 requests for the Org Authorization Server:
/oauth2/v1 except /oauth2/v1/clients, /oauth2/v1/authorize and public metadata endpoints (see the Note below)
Eligible for dynamic scale and workforce multiplier
300 1,200 1,200 1,200 2,000
/oauth2/v1/authorize
Eligible for dynamic scale and workforce multiplier
300 1200 1200 1200 2000
All other OAuth2 requests:
/oauth2
100 600 600 600 600
/app/${app}/${key}/sso/saml
Eligible for dynamic scale and workforce multiplier
100 600 600 600 750
/app/office365${appType}/${key}/sso/wsfed/active
Eligible for workforce multiplier
N/A N/A N/A 2,000 1,000
/app/office365${appType}/${key}/sso/wsfed/passive
Eligible for workforce multiplier
N/A N/A N/A 250 250
/app/template_saml_2_0/${key}/sso/saml
Eligible for dynamic scale and workforce multiplier
100 600 600 600 2,500
/login/login.htm
Eligible for dynamic scale and workforce multiplier
200 1200 1200 1200 1200
/login/sso_iwa_auth
Eligible for workforce multiplier
100 600 600 600 500
/api/${apiVersion}/radius
Eligible for workforce multiplier
100 600 600 600 600
/idp/idx 100 600 600 600 500
/login/token/redirect
Eligible for dynamic scale and workforce multiplier
100 600 600 600 600
Identity Engine Identity Engine APIs:
The below rate limits are configured so that orgs are allowed to complete 1000 Identity Engine authentication flows per minute.
/idp/idx 100 1000 1000 1000 1000
/idp/idx/identify
Eligible for dynamic scale and workforce multiplier
100 1000 1000 1000 1000
/idp/idx/introspect
Eligible for dynamic scale and workforce multiplier
200 2000 2000 2000 2000
Identity Engine App Intent
Eligible for dynamic scale and workforce multiplier
200 2000 2000 2000 2000

Note: The following public metadata endpoints aren't subjected to rate limiting.

Public metadata endpoints for the Org Authorization Server are:

  • /oauth2/v1/keys
  • /.well-known/openid-configuration
  • /.well-known/oauth-authorization-server

Public metadata endpoints for the Custom Authorization Servers are:

  • /oauth2/${authorizationServerId}/v1/keys
  • /oauth2/${authorizationServerId}/.well-known/openid-configuration
  • /oauth2/${authorizationServerId}/.well-known/oauth-authorization-server