HomeAPI ReferenceSDKs
Guides
Help CenterSign up for Frontegg

Rate Limit Policies

Suggest Edits

Frontegg enforces rate limit policies on its APIs to protect your application and user management infrastructure and ensure a seamless user experience. When rate limits are exceeded, Frontegg responds with an HTTP Status Code 429 (Too Many Requests). Your application should handle these responses by checking the status code and implementing a back-off strategy to avoid infinite retry loops.

Limits for Frontegg workspaces

In some cases, the rate limits will be by IP address, and in some cases, they will be by vendor ID.

👍

General rate limits

Note that the general rate limits within every API group refer to all routes within this "group" that are not specified in the table below.

Authentication APIs

EndpointPathMethodLaunchScaleEnterprise
General rate limit100/min per IP1000/min per IP1000/min per IP
Activate SSO configuration/identity/resources/sso/v1/:type/activatePOST5/min per VendorId10/min per VendorId10/min per VendorId
Password reset request/identity/resources/users/v1/passwords/resetPOST5/min per VendorId5/min per IP10/min per IP
Password verification/identity/resources/users/v1/passwords/reset/verifyPOST5/min per VendorId5/min per IP10/min per IP
Reset phone number/identity/resources/users/v1/phone/resetPOST5/min per VendorId5/min per IP10/min per IP
Reset phone number verification/identity/resources/users/v1/phone/reset/verifyPOST5/min per VendorId5/min per IP10/min per IP
API token (client credentials) authentication/identity/resources/auth/v1/api-token/resources/auth/v2/api-tokenPOST10/sec per VendorId60/sec per VendorId100/sec per VendorId
API token (client credentials) refresh/identity/resources/auth/v1/api-token/token/refreshPOST10/sec per VendorId60/sec per VendorId100/sec per VendorId
Logout a user (Embedded)/identity/resources/auth/v1/logoutPOST10/min per VendorId30/min per IP100/min per IP
User social authentication (all providers)/identity/resources/auth/v1/user/sso/:type/postloginPOST10/min per VendorId30/min per IP100/min per IP
Apple postlogout/identity/resources/auth/v2/user/sso/apple/postloginPOST10/min per VendorId30/min per IP100/min per IP
Social dev credentials postlogin/identity/resources/auth/v2/user/sso/default/:type/postloginGET10/min per VendorId30/min per IP100/min per IP
Social auth postlogin/identity/resources/auth/v2/user/sso/:type/postloginGET10/min per VendorId30/min per IP100/min per IP
Social auth prelogin/identity/resources/auth/v2/user/sso/default/:type/preloginGET10/min per VendorId30/min per IP100/min per IP
Login with code postlogin/identity/resources/auth/v2/user/:type/postloginPOST10/min per VendorId30/min per IP100/min per IP
Login with code prelogin/identity/resources/auth/v2/user/sso/:type/preloginPOST10/min per VendorId30/min per IP100/min per IP
Magic link postlogin/identity/resources/auth/v1/passwordless/code/postloginPOST10/min per VendorId30/min per IP100/min per IP
Magic link prelogin/identity/resources/auth/v1/passwordless/code/preloginPOST10/min per VendorId30/min per IP100/min per IP
Login with SMS postlogin/identity/resources/auth/v1/passwordless/magiclink/postloginPOST10/min per VendorId30/min per IP100/min per IP
Login with SMS prelogin/identity/resources/auth/v1/passwordless/smscode/preloginPOST10/min per VendorId30/min per IP100/min per IP
Get authentication strategies/identity/resources/configurations/v1/auth/strategies/publicGET10/min per VendorId100/min per IP1000/min per IP
User sign up/identity/resources/users/v1/signUpPOST5/min per VendorId10/min per IP30/min per IP
User password authentication/identity/resources/auth/v1/userPOST10/min per VendorId30/min per IP100/min per IP
OAuth Token Requestoauth/tokenPOST100/min per VendorId100/min per IP500/min per IP

User management APIs

EndpointPathMethodLaunchScaleEnterprise
General Rate Limit100/min per IP1000/min per IP1000/min per IP
Resend activation email to a user/idenity/resources/members/v1/:userId/resendActivationEmailPOST10/min per VendorId30/min per IP100/min per IP
Create user group/resources/sso/v1/configurations/:configurationId/groupsPOST10/min per VendorId30/min per IP100/min per IP
Create tenants in bulk/resources/migrations/v1/tenantsPOST10/min per VendorId10/min per IP30/min per IP
Get tenants/resources/tenants/v1GET30/min per VendorId30/min per IP100/min per IP
User invitation / creation (V1)/identity/resources/users/v1POST30/min per VendorId30/min per IP150/min per IP
User invitation / creation (V2)/identity/resources/users/v2POST10/min per VendorId30/min per IP150/min per IP
Delete user/identity/resources/users/v1/:userIdDELETE10/min per VendorId10/min per IP30/min per IP
GET users (V2)/identity/resources/users/v2GET30/min per VendorId30/min per VendorId30/min per VendorId
GET users (V3)/identity/resources/users/v3GET60/min per VendorId100/min per VendorId200/min per VendorId
GET users with fuzzy search/identity/resources/users/v1/query/phraseGET-5/min per VendorId10/min per VendorId
Assign roles to user/identity/resources/users/v1/{userId}/rolesPOST30/min per VendorId100/min per IP1000/min per IP
Set user’s active tenant/identity/resources/users/v1/{userId}/tenantPOST30/min per VendorId100/min per IP1000/min per IP
Remove roles from user/identity/resources/users/v1/{userId}/rolesDELETE30/min per VendorId100/min per IP1000/min per IP

Security APIs

EndpointPathMethodLaunchScaleEnterprise
General Rate Limit
MFA recovery/identity/resources/auth/v1/user/mfa/recoverPOST5/min per IP10/min per IP10/min per IP
Generate step up code for user/identity/resources/auth/v1/user/step-up/generatePOST5/min per IP10/min per IP10/min per IP
Change password for user/identity/resources/users/v1/passwords/changePOST15/min per IP50/min per IP50/min per IP
Verify user’s MFA enrollment (authenticator app)/identity/resources/auth/v1/user/mfa/authenticator/enroll/verifyPOST5/min per IP10/min per IP10/min per IP
Verify user’s MFA enrollment (SMS)/identity/resources/auth/v1/user/mfa/sms/enroll/verifyPOST5/min per IP10/min per IP10/min per IP
Verify user’s MFA enrollment (WebAuthN)/identity/resources/auth/v1/user/mfa/webauthn/enroll/verifyPOST5/min per IP10/min per IP10/min per IP
Enroll user in MFA (authenticator app)/identity/resources/auth/v1/user/mfa/authenticator/enrollPOST5/min per IP10/min per IP10/min per IP
Enroll user in MFA (SMS)/identity/resources/auth/v1/user/mfa/sms/enrollPOST5/min per IP10/min per IP10/min per IP
Enroll user in MFA (WebAuthN)/identity/resources/auth/v1/user/mfa/webauthn/enrollPOST5/min per IP10/min per IP10/min per IP
Generate MFA code for email/identity/resources/auth/v1/user/mfa/emailcodePOST5/min per IP10/min per IP10/min per IP
Add device for MFA via SMS/identity/resources/auth/v1/user/mfa/sms/:deviceIdPOST5/min per IP10/min per IP10/min per IP
Add device for MFA via deviceId/identity/resources/auth/v1/user/mfa/webauthn/:deviceIdPOST5/min per IP10/min per IP10/min per IP
Verify device for MFA authentication/identity/resources/auth/v1/user/mfa/authenticator/:deviceId/verifyPOST5/min per IP10/min per IP10/min per IP
MFA verification/identity/resources/auth/v1/user/mfa/verifyPOST5/min per IP10/min per IP10/min per IP
Verify MFA code from email/identity/resources/auth/v1/user/mfa/emailcode/verifyPOST5/min per IP10/min per IP10/min per IP
Verify device for MFA via SMS/identity/resources/auth/v1/user/mfa/sms/:deviceId/verifyPOST5/min per IP10/min per IP10/min per IP
Verify device for MFA via WebAuthN/identity/resources/auth/v1/user/mfa/webauthn/:deviceId/verifyPOST5/min per IP10/min per IP10/min per IP

Management APIs

EndpointPathMethodLaunchScaleEnterprise
General rate limit100/min per IP1000/min per IP1000/min per IP
Update main authentication strategies/identity/resources/configurations/v1/auth/strategies/mainPOST5/min per VendorId10/min per VendorId10/min per VendorId
Update secondary authentication strategies/identity/resources/configurations/v1/auth/strategies/secondaryPOST5/min per VendorId10/min per VendorId10/min per VendorId
Create custom social login configuration/resources/sso/custom/v1POST5/min per VendorId10/min per VendorId10/min per VendorId
Delete custom social login configuration/resources/sso/custom/v1/:idDELETE5/min per VendorId10/min per VendorId10/min per VendorId
Update custom social login configuration/resources/sso/custom/v1/:idPATCH5/min per VendorId10/min per VendorId10/min per VendorId
Get bulk CSV migration errors/identity/resources/migrations/v1/local/bulk/csv/:migrationId/errorsPOST2/min per VendorId5/min per VendorId5/min per VendorId
Migrate bulk users via CSV/identity/resources/migrations/v1/local/bulk/csvPOST5/min per VendorId10/min per VendorId10/min per VendorId
Migrate bulk users via JSON/identity/resources/migrations/v1/local/bulkPOST5/min per VendorId10/min per VendorId10/min per VendorId
Update SSO configuration/resources/sso/v1POST5/min per VendorId10/min per VendorId10/min per VendorId
Deactivate SSO configuration/resources/sso/v1/:type/deactivate, /resources/sso/v2/:type/deactivatePOST5/min per VendorId10/min per VendorId10/min per VendorId
Activate SSO configuration/resources/sso/v2/:type/activatePOST5/min per VendorId10/min per VendorId10/min per VendorId
Update SSO configuration/resources/sso/v2POST5/min per VendorId10/min per VendorId10/min per VendorId
Invite users in bulk (JSON)/identity/resources/users/bulk/v1/invitePOST5/min per VendorId10/min per VendorId10/min per VendorId
Identity management settings/identity/resources/configurations/v1POST10/min per VendorId20/min per VendorId20/min per VendorId
Check active tenant access tokens/identity/resources/vendor-only/tenants/access-tokens/v1/activeGET20/min per VendorId100/min per VendorId100/min per VendorId
Get tenant access token/identity/resources/vendor-only/tenants/access-tokens/v1/:idGET20/min per VendorId100/min per VendorId100/min per VendorId
Get user’s active access tokens/identity/resources/vendor-only/users/access-tokens/v1/activeGET20/min per VendorId100/min per VendorId100/min per VendorId
Check active user access tokens/identity/resources/vendor-only/users/access-tokens/v1/:idGET20/min per VendorId100/min per VendorId100/min per VendorId
Create application/resources/applications/v1POST5/min per VendorId10/min per VendorId10/min per VendorId
Delete application/resources/applications/v1/:idDELETE5/min per VendorId10/min per VendorId10/min per VendorId
Get application by ID/resources/applications/v1/:idGET5/min per VendorId10/min per VendorId10/min per VendorId
Get applications/resources/applications/v1GET15/min per VendorId50/min per VendorId50/min per VendorId
Get default applications/resources/applications/v1/defaultGET15/min per VendorId50/min per VendorId50/min per VendorId
Update application by ID/resources/applications/v1/:idPATCH5/min per VendorId10/min per VendorId10/min per VendorId
Assign tenants (accounts) to applications/resources/applications/tenant-assignments/v1/:appIdPOST5/min per VendorId10/min per VendorId10/min per VendorId
Remove tenant (account) assignment from the application/resources/applications/tenant-assignments/v1/:appId/:tenantIdDELETE5/min per VendorId10/min per VendorId10/min per VendorId
Get tenant assignments for application per ID/resources/applications/tenant-assignments/v1/:appIdGET15/min per VendorId50/min per VendorId50/min per VendorId
Get tenant assignments per application/resources/applications/tenant-assignments/v1GET15/min per VendorId50/min per VendorId50/min per VendorId
Vendor authentication/auth/vendorPOST10/sec per IP30/sec per IP30/sec per IP

Entitlements APIs

EndpointMethodLaunchScaleEnterprise
General rate limit100/min per IP1000/min per IP1000/min per IP
Create / Update Feature / Plan / FF5/min per IP10/min per VendorId10/min per VendorId
Entitlements (all types)GET100/min per IP1000/min per IP1000/min per IP

📘

Rate Limit Headers

It recommended to refer to the below response headers that are returned on all /identity/ routes when optimizing your app to minimize requests and avoid hitting the rate limit:

x-rate-limit-limit

x-rate-limit-remaining

x-rate-limit-reset

Updated about 1 month ago