On this page
System Log events for rate limits
System Log event types
Web request rate limits (org level)
The following org-based System Log events record system events related to your org to provide an audit trail. Use this to understand platform activity and to diagnose problems.
system.org.rate_limit.warning
This event is sent when an endpoint is nearing its rate limit.system.org.rate_limit.burst
This event is sent when an API exceeds its default rate limit, and Okta applies an increase in the rate limit to minimize customer impact. See Burst rate limits.system.org.rate_limit.violation
This event is sent when an endpoint exceeds its rate limit.core.concurrency.org.limit.violation
This event is sent when a request exceeds the org's allotted concurrent limit.
Web request rate limits (client level)
The following client-based System Log events are fired when an individual client exceeds its assigned limit for the OAuth /authorize endpoint. The event that fires depends on the client-based rate limit mode that's set.
If the framework is in Enforce and log per client mode, the following events fire:
system.client.rate_limit.violation
This event is fired when a specific client, IP address, or device identifier combination exceeds the total limit of 60 requests per minute. The System Log contains information about the client ID, IP address, device identifier, and the actual user if the user already has a valid session.system.client.concurrency_rate_limit.violation
This event is fired when a specific client, IP address, or device identifier combination makes more than five concurrent requests. The System Log contains information about the client ID, IP address, device identifier, and the actual user if the user already has a valid session.
If the framework is in Log per client&&** mode, the following events fire:
system.client.rate_limit.notification
This event is fired when a specific client, IP address, or device identifier combination exceeds the total limit of 60 requests per minute. However, the user won't see a rate limit violation. Okta fires only anotificationSystem Log event. The System Log contains information about the client ID, IP address, device identifier, and the actual user if the user already has a valid session.system.client.concurrency_rate_limit.notification
This event is fired when a specific client, IP address, device token combination makes more than two concurrent requests. However, the end user won't see a rate limit violation. Okta fires only anotificationSystem Log event. The System Log contains information about the client ID, IP address, device identifier, and the actual user if the user already has a valid session.
OAuth 2.0 client rate limit
The following event fires when OAuth 2.0 requests from a single client ID have consumed most of the applicable rate limit for the org:
app.oauth2.client_id_rate_limit_warning
This event contains information about the responsible client ID, which you can use to discover and deactivate or reconfigure the client if necessary.
Operation rate limits
Some rate limits are enforced on specific actions within Okta, regardless of which API is called to invoke the action. For example, though there are multiple ways to initiate an SMS to a user, there may be a limit on how many are sent out. This is regardless of which API requests have been made to initiate the messages. The following event types may appear in these varying cases:
system.operation.rate_limit.violation
This event type is sent once per rate limit period when a request or action is rejected for exceeding a rate limit. For example, if the exceeded rate limit has a reset period of one minute, then one event of this type is emitted during that period for the applicable scope.system.operation.rate_limit.warning
This event type may be sent once per rate limit period, warning that a significant portion of your rate limit has already been used within a period. For example, you might receive a warning that you've reached 60% of your rate limit for an endpoint within a rate limit period.system.operation.rate_limit.notification
This event type can provide additional information about rate limit decisions. For example, this event might indicate that a violation event would have been emitted for a specific client rather than for a broader scope if you had chosen a different configuration.
DebugContext object for operation rate limits
For some event types, the fields provided in other response objects aren't sufficient to adequately describe the operations that the event has performed. In such cases, the DebugContext (opens new window) object provides a way to store additional information.
DebugContext object properties for operation rate limits
The following table describes the rate limit information that is returned in the DebugContext object.
Identity EngineImportant: The information contained in
debugContext.debugDatais intended to add context when troubleshooting customer platform issues. The key names and values in the following table are standard properties for rate limit events. However, other properties may be included in the DebugContext object, for example:countryCallingCode. These types of event-specific properties may change from release to release and aren't guaranteed to be stable. Therefore, they shouldn't be viewed as a data contract but as a debugging aid instead.
Note: The
profile_reloadtype is only available for Identity Engine.
| Property | Type | Description |
|---|---|---|
operationRateLimitScopeType | String | The type of rate limit scope affected. Scope examples: org or user |
operationRateLimitSecondsToReset | String | The number of seconds that remain until the current rate limit period ends |
operationRateLimitSubtype | String | The Subtype of the rate limit event affected. Subtype examples: Email, SMS, Voice call |
operationRateLimitThreshold | String | The relevant numerical limit that this event is associated with |
operationRateLimitTimeSpan | String | The amount of time before the rate limit resets |
operationRateLimitTimeUnit | String | Indicates the reset interval for operationRateLmitTimeSpan in minutes or seconds |
operationRateLimitType | String | The type of rate limit event affected. Type examples: web_request, authenticator_otp_verification, sms_factor_enroll, event_hook_delivery, elastic_rate_limit_activated, phone_enrollment, profile_reload
Identity Engine
, and so on |
Note: Additional information for some events may be included in the DebugContext object, such as for the Notification or Warning event types. For example:
For Notification event types
A preview-type event might contain a link to where you can toggle some behaviorFor Warning event types
The event might include the threshold % that is being used to trigger the warning
DebugContext object examples for operation rate limits
The following is an example System Log rate limit event where too many enrollment attempts for the SMS factor were made.
{
"actor": {
"id": "00uw8nGF9OiREtZyr0g3",
"type": "User",
"alternateId": "john.smith@example.com",
"displayName": "John Smith",
"detailEntry": null
},
"client": {
"userAgent": {
"rawUserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:83.0) Gecko/20100101 Firefox/83.0",
"os": "Mac OS X",
"browser": "FIREFOX"
},
"zone": "null",
"device": "Computer",
"id": null,
"ipAddress": "127.0.0.1",
"geographicalContext": {
"city": null,
"state": null,
"country": null,
"postalCode": null,
"geolocation": {
"lat": 37.74,
"lon": -122.39999999999999
}
}
},
"authenticationContext": {
"authenticationProvider": null,
"credentialProvider": null,
"credentialType": null,
"issuer": null,
"interface": null,
"authenticationStep": 0,
"externalSessionId": "1025poeucCTQVK22GxJEK1Y-g"
},
"displayMessage": "Operation rate limit violation",
"eventType": "system.operation.rate_limit.violation",
"outcome": {
"result": "DENY",
"reason": "Too many enrollment attempts for SMS factor"
},
"published": "2021-02-10T04:46:12.033Z",
"securityContext": {
"asNumber": null,
"asOrg": null,
"isp": null,
"domain": null,
"isProxy": null
},
"severity": "WARN",
"debugContext": {
"debugData": {
"operationRateLimitSubtype": "SMS",
"operationRateLimitTimeUnit": "MINUTES",
"operationRateLimitScopeType": "user",
"operationRateLimitSecondsToReset": "99",
"operationRateLimitThreshold": "15",
"operationRateLimitTimeSpan": "5",
"requestUri": "/api/v1/authn/factors",
"url": "/api/v1/authn/factors?updatePhone=true",
"phoneNumber": "+1555555555",
"authnRequestId": "reqWXOTNi2FQV6sUFQxWGCf8A",
"countryCallingCode": "1",
"requestId": "reqS9xgtpvOTcukX8Yu-SLRDQ",
"threatSuspected": "false",
"operationRateLimitType": "phone_enrollment"
}
},
"legacyEventType": null,
"transaction": {
"type": "WEB",
"id": "reqS9xgtpvOTcukX8Yu-SLRDQ",
"detail": {}
},
"uuid": "a0b60b8a-3aa2-11eb-8d69-abfc0c06b0f7",
"version": "0",
"request": {
"ipChain": [
{
"ip": "127.0.0.1",
"geographicalContext": null,
"version": "V4",
"source": null
}
]
},
"target": [
{
"id": "SMS",
"type": "Factor Type",
"alternateId": null,
"displayName": null,
"detailEntry": null
},
{
"id": "/api/v1/authn/factors",
"type": "URL Pattern",
"alternateId": null,
"displayName": null,
"detailEntry": null
}
]
}
The following is an example System Log rate limit event where too many OTP verification attempts were made for the Email factor.
Note: This event is valid with Identity Experience flows only.
{
"actor": {
"id": "00u177cNaulNGQ8uT0g4",
"type": "User",
"alternateId": "john.smith@example.com",
"displayName": "John Smith",
"detailEntry": null
},
"client": {
"userAgent": {
"rawUserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:83.0) Gecko/20100101 Firefox/83.0",
"os": "Mac OS X",
"browser": "FIREFOX"
},
"zone": "null",
"device": "Computer",
"id": null,
"ipAddress": "127.0.0.1",
"geographicalContext": {
"city": null,
"state": null,
"country": null,
"postalCode": null,
"geolocation": {
"lat": 37.62,
"lon": -114.67
}
}
},
"authenticationContext": {
"authenticationProvider": null,
"credentialProvider": null,
"credentialType": null,
"issuer": null,
"interface": null,
"authenticationStep": 0,
"externalSessionId": "trskkGZcEoXRb6cY4ZtJxfcAw"
},
"displayMessage": "Operation rate limit violation",
"eventType": "system.operation.rate_limit.violation",
"outcome": {
"result": "DENY",
"reason": "Too many OTP verification attempts for Email factor"
},
"published": "2021-02-09T19:13:41.976Z",
"securityContext": {
"asNumber": null,
"asOrg": null,
"isp": null,
"domain": null,
"isProxy": null
},
"severity": "WARN",
"debugContext": {
"debugData": {
"operationRateLimitSubtype": "Email",
"operationRateLimitTimeUnit": "MINUTES",
"operationRateLimitScopeType": "User",
"operationRateLimitSecondsToReset": "282",
"requestId": "reqAp3j9gGSRYK-0QnLu-KCzg",
"operationRateLimitThreshold": "5",
"operationRateLimitTimeSpan": "5",
"requestUri": "/idp/idx/challenge/answer",
"threatSuspected": "false",
"operationRateLimitType": "authenticator_otp_verification",
"url": "/idp/idx/challenge/answer?"
}
},
"legacyEventType": null,
"transaction": {
"type": "WEB",
"id": "reqAp3j9gGSRYK-0QnLu-KCzg",
"detail": {}
},
"uuid": "a67b4d9d-3a52-11eb-bf93-a70040ee6585",
"version": "0",
"request": {
"ipChain": [
{
"ip": "127.0.0.1",
"geographicalContext": null,
"version": "V4",
"source": null
}
]
},
"target": [
{
"id": "eae177dD0xPmbH7DE0g4",
"type": "Authenticator",
"alternateId": null,
"displayName": null,
"detailEntry": null
}
]
}
The following example lists a rate limit event in the System Log for too many profile reload attempts through Active Directory or LDAP agent.
Identity EngineNote: This event is valid for the Identity Engine only.
{
"actor": {
"id": "00u1ngpFSRLFie7vT0g4",
"type": "User",
"alternateId": "john.smith@example.com",
"displayName": "John Smith",
"detailEntry": null
},
"client": {
"userAgent": {
"rawUserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Edg/90.0.818.51",
"os": "Mac OS X",
"browser": "CHROMIUM_EDGE"
},
"zone": "null",
"device": "Computer",
"id": null,
"ipAddress": "127.0.0.1",
"geographicalContext": {
"city": null,
"state": null,
"country": null,
"postalCode": null,
"geolocation": {
"lat": 36.62,
"lon": -113.17
}
}
},
"authenticationContext": {
"authenticationProvider": null,
"credentialProvider": null,
"credentialType": null,
"issuer": null,
"interface": null,
"authenticationStep": 0,
"externalSessionId": "idx3GDqJrIfQhCRJTEuNC-l9A"
},
"displayMessage": "Operation rate limit violation",
"eventType": "system.operation.rate_limit.violation",
"outcome": {
"result": "DENY",
"reason": "Profile reload for john.smith@example.com skipped due to rate limiting"
},
"published": "2021-05-14T20:42:21.480Z",
"securityContext": {
"asNumber": null,
"asOrg": null,
"isp": null,
"domain": null,
"isProxy": null
},
"severity": "WARN",
"debugContext": {
"debugData": {
"operationRateLimitTimeUnit": "MINUTES",
"operationRateLimitScopeType": "user",
"deviceFingerprint": "3857b18395b101c0703feec226def544",
"operationRateLimitSecondsToReset": "96",
"requestId": "reqmXZkOgXpQdms4-3a8eD9mg",
"operationRateLimitThreshold": "1",
"operationRateLimitTimeSpan": "5",
"requestUri": "/idp/idx/identify",
"operationRateLimitType": "profile_reload",
"operationRateLimitSubtype": "AD agent",
"url": "/idp/idx/identify?"
}
},
"legacyEventType": null,
"transaction": {
"type": "WEB",
"id": "reqmXZkOgXpQdms4-3a8eD9mg",
"detail": {}
},
"uuid": "e19832a2-b4f4-11eb-9f1e-bba1874b8f01",
"version": "0",
"request": {
"ipChain": [
{
"ip": "127.0.0.1",
"geographicalContext": null,
"version": "V4",
"source": null
}
]
},
"target": [
{
"id": "00u1ngpFSRLFie7vT0g4",
"type": "User",
"alternateId": "john.smith@example.com",
"displayName": "John Smith",
"detailEntry": null
}
]
}
Operation rate limit subtypes
The following table includes the available Subtypes for operation rate limits.
Note: The
AD agentandLDAP agentsubtypes are only available for the Identity Engine.
| Subtype | Description |
|---|---|
Email | The user exceeded their limit for sending email messages. |
oauth_client | The user exceeded their client-based rate limit. |
SMS | The user exceeded their limit for sending SMS. |
ssws_token | The user exceeded their limit for API token use. |
Voice call | The user exceeded their limit for sending voice-call messages. |
AD agent
Identity Engine
| The user exceeded their limit for profile reload through the AD agent. |
LDAP agent
Identity Engine
| The user exceeded their limit for profile reload through the LDAP agent. |