On this page

Authentication/End-user rate limits

This page provides the API rate limits for authentication and end-user activities, which is part of Okta rate limits. To learn more about rate limits, visit our Overview and Best practices pages.

  • In addition to the rate limit per API, Okta implements limits on concurrent requests, Okta-generated email messages, end user requests, and home page endpoints. These limits are described on the Additional limits page.
  • DynamicScale rate limits apply to a variety of endpoints across different APIs for customers that purchased this add-on.
  • You can expand Okta rate limits upon request. To learn how, see Request exceptions and DynamicScale rate limits.

See the following list of per-minute limits. If an endpoint isn't in this list, you can review it using the Admin Console, in the rate limit dashboard's APIs table. See APIs table.

Action and Okta API Endpoint Developer (free) Developer (paid) One App Enterprise Workforce Identity
Cumulative rate limit 2,100 13,000 13,000 13,000 18,250
Authenticate different end users:
/api/v1/authn
Eligible for dynamic scale and workforce multiplier
100 600 600 600 500
Verify a factor:
/api/v1/authn/factors/${factorIdOrFactorType}/verify only
Eligible for dynamic scale and workforce multiplier
100 600 600 600 500
Get session information:
/api/v1/sessions
Eligible for dynamic scale and workforce multiplier
100 600 600 600 750
OAuth2 requests for Custom Authorization Servers:
/oauth2/${authorizationServerId}/v1 except /oauth2/${authorizationServerId}/v1/authorize, /oauth2/${authorizationServerId}/v1/token, and public metadata endpoints (see Endpoints without rate limiting)
Eligible for dynamic scale and workforce multiplier
300 1,200 1,200 1,200 2,000
/oauth2/${authorizationServerId}/v1/authorize
Eligible for dynamic scale and workforce multiplier
300 1200 1200 1200 2000
/oauth2/${authorizationServerId}/v1/token
Eligible for dynamic scale and workforce multiplier
300 1200 1200 1200 2000
OAuth2 requests for the Org Authorization Server:
/oauth2/v1 except /oauth2/v1/clients, /oauth2/v1/authorize, /oauth2/v1/token, and public metadata endpoints (see Endpoints without rate limiting)
Eligible for dynamic scale and workforce multiplier
300 1,200 1,200 1,200 2,000
/oauth2/v1/authorize
Eligible for dynamic scale and workforce multiplier
300 1200 1200 1200 2000
/oauth2/v1/token
Eligible for dynamic scale and workforce multiplier
300 1200 1200 1200 2000
All other OAuth2 requests:
/oauth2
100 600 600 600 600
/app/${app}/${key}/sso/saml
Eligible for dynamic scale and workforce multiplier
100 600 600 600 750
/app/office365${appType}/${key}/sso/wsfed/active
Eligible for workforce multiplier
N/A N/A N/A 2,000 1,000
/app/office365${appType}/${key}/sso/wsfed/passive
Eligible for workforce multiplier
N/A N/A N/A 250 250
/app/template_saml_2_0/${key}/sso/saml
Eligible for dynamic scale and workforce multiplier
100 600 600 600 2,500
/login/login.htm
Eligible for dynamic scale and workforce multiplier
200 1200 1200 1200 1200
/login/sso_iwa_auth
Eligible for workforce multiplier
100 600 600 600 500
/api/${apiVersion}/radius
Eligible for workforce multiplier
100 600 600 600 600
/login/token/redirect
Eligible for dynamic scale and workforce multiplier
100 600 600 600 600
Identity Engine Identity Engine APIs:
Identity Engine rate limits are configured to support 1000 Identity Engine authentication flows per minute. That is, depending on authentication flows, some endpoint limits may differ.
/idp/idx 100 1000 1000 1000 1000
/idp/idx/identify
Eligible for dynamic scale and workforce multiplier
100 1000 1000 1000 1000
/idp/idx/introspect
Eligible for dynamic scale and workforce multiplier
200 2000 2000 2000 2000
Identity Engine App Intent
Eligible for dynamic scale and workforce multiplier
200 2000 2000 2000 2000

Endpoints without rate limiting

The following public metadata endpoints aren't subjected to rate limiting.

Public metadata endpoints for the Org Authorization Server are:

  • /oauth2/v1/keys
  • /.well-known/openid-configuration
  • /.well-known/oauth-authorization-server

Public metadata endpoints for the Custom Authorization Servers are:

  • /oauth2/${authorizationServerId}/v1/keys
  • /oauth2/${authorizationServerId}/.well-known/openid-configuration
  • /oauth2/${authorizationServerId}/.well-known/oauth-authorization-server