Rate Limit Policies
Frontegg applies rate limit policies on its APIs in order to protect your application and user management infrastructure, so your users will have a frictionless non-interrupted experience
Handling rate limits in code
Frontegg responds with HTTP Status Code 429 (Too Many Requests) when the rate limits exceed.
Your code logic should be able to handle such cases by checking the status code on the response and recovering from such cases.
If a retry is needed, it is best to allow for a back-off to avoid going into an infinite retry loop.
Limits for Frontegg workspaces
In some of the cases, the limits will be by IP address and in some of the cases, the limits will be by vendor Id.
| Endpoint | Path | Limited by | Rate limit |
|---|---|---|---|
| Password reset request | /identity/resources/users/v1/passwords/reset | IP address | 10 requests per minute |
| Password verification | /identity/resources/users/v1/passwords/reset/verify | IP address | 10 requests per minute |
| MFA verification | /identity/resources/auth/v1/user/mfa/verify | IP address | 10 requests per minute |
| MFA recovery | /identity/resources/auth/v1/user/mfa/recover | IP address | 10 requests per minute |
| Magic link login | /identity/resources/auth/v1/passwordless/magiclink/prelogin/identity/resources/auth/v1/passwordless/magiclink/postlogin | IP address | 100 requests per minute |
| SSO prelogin | /identity/resources/auth/v2/user/sso/prelogin | IP address | 100 requests per minute |
| User authentication | /identity/resources/auth/v1/user | IP address | 100 requests per minute |
| Social login | /identity/resources/auth/v1/user/sso/google/postlogin/identity/resources/auth/v1/user/sso/github/postlogin/identity/resources/auth/v1/user/sso/microsoft/postlogin/identity/resources/auth/v1/user/sso/facebook/postlogin | IP address | 100 requests per minute |
| User sign up | /identity/resources/users/v1/signUp | IP address | 5 requests per minute |
| API token authentication | /identity/resources/auth/v1/api-token | Environment | 100 per second |
| OAuth Token Request | /identity/resources/oauth/token | Environment | 500 per minute |
| Vendor Authentication | /auth/vendor | IP address | 30 per second |
| Invite user | POST /identity/resources/users/v1POST /identity/resources/users/v2 | IP address | 30 per minute |
| Get users | GET /identity/resources/users/v3 | Environment | 200 per minute |
| Identity management configuration | POST /identity/resources/configurations/v1 | Vendor | 20 per minute |
| Update main authentication strategy | POST /identity/resources/configurations/v1/auth/strategies/main | Vendor | 10 per minute |
| Update secondary authentication strategy | POST /identity/resources/configurations/v1/auth/strategies/secondary | Vendor | 10 per minute |
| Update SSO configuration | POST /identity/resources/sso/v1 | Vendor | 10 per minute |
| Activate SSO configuration | identity/resources/sso/v1/:type/activate | Vendor | 10 per minute |
| Deactivate SSO configuration | POST /identity/resources/sso/v1/:type/deactivate | Vendor | 10 per minute |
| Update SSO configuration | POST /identity/resources/sso/v2 | Vendor | 10 per minute |
| Activate SSO configuration | POST /identity/resources/sso/v2/:type/activate | Vendor | 10 per minute |
| Deactivate SSO configuration | POST /identity/resources/sso/v2/:type/deactivate | Vendor | 10 per minute |
| Create custom SSO configuration | POST /identity/resources/sso/custom/v1 | Vendor | 10 per minute |
| Update custom SSO configuration | PATCH /identity/resources/sso/custom/v1/:id | Vendor | 10 per minute |
| Delete custom SSO configuration | DELETE /identity/resources/sso/custom/v1/:id | Vendor | 10 per minute |
| Delete user | DELETE identity/resources/users/v1/:userId | IP Address | 30 per minute |
| SSO groups configuration | identity/resources/sso/v1/configurations/:configurationId/groups/:groupIde | Vendor | 100 per minute |
| MFA SMS | identity/resources/auth/v1/user/mfa/sms/ | IP Address | 10 per minute |
Updated 8 days ago