Rate Limit Policy
Overview
Authlete uses rate limits to protect our platform and ensure high availability and performance for our customers. This document provides an overview of the types of rate limits we enforce in order to allow customers to plan accordingly when building their applications.
This document and all rate limit content is specific to Authlete managed deployments. Self-Managed deployments might apply other protective measures.
Types of Rate Limits
In order to ensure that the the platform is available and stable we use different types of limits but as general rule limits apply to all calls to Authlete APIs and once a limit is reached requests will be rate limited meaning they will not be executed and Authlete will return a response with status code 429.
The following is a description of the different types of rate limits we apply and when we use them.
- Environment Limits:
This is a fixed global limit that ensures the total number of requests received in an environment do not exceed the capacity deployed. This limit is used in Enterprise Plans using Dedicated Cloud deployments where customers contract a specific capacity, ie. 1500 RPS, and it is focused on the API endpoints used in the authorization process (
/auth/*)
For Dedicated Cloud customers exceeding the environment capacity regularly does not only result on requests being rate limited but it might invalidate the Service Level Agreement.
- Service Limits:
This is a limit that controls the maximum number of requests made to the API within the context of a service. In this case the limit will depend on the subscription plan and the limit will be applied regardless of the capacity available in the environment. This limit is enforced in our Shared Cloud deployments for Free and Business Plans.
- Requester Limits:
This is a limit intended to be our first line of defense from rogue or faulty actors. It is applied based on the requester IP Address and the requester API key or token. This limit is applied only in our Shared Cloud offering, where it is generally set to 20 RPS.
Although Requester Limits can be enabled in Dedicated Cloud offerings it is common that most requests come from well known sources in which case customers instead use the ability to restrict connectivity from a known list of IP addresses.
- User Limits:
This limit is focused on the interactions that users have via Authlete’s Developer Console and other web applications. The limit is applied based on the user identity and it is enforced in all environments.
The following table provides a summary of the limits and where they are used
| Type of Limit |
Key |
Limit |
Shared/Public Cloud |
Dedicated/Private Cloud |
| Environment |
- |
Capacity contracted |
❌ |
✅ |
| Service |
Service ID |
Organization or Service Owner Plan |
✅ |
❌ |
| Requester |
IP Address API Key API Token |
20 RPS |
✅ |
❌ |
| User |
User ID |
5 rps |
✅ |
✅ |
Burst or Grace Limits
Both Environment and Service limits include a grace allowance, permitting up to 20% additional requests for a limited period—typically up to 3 minutes—to manage sudden load bursts before the strict rate limit is enforced.
Rate Limit Quotas
Shared Cloud Service Limits
The following table shows the rate limits enforced in Shared Cloud based on the plan of the organization or service owner the service belongs to:
| Plan Authlete v3.0 |
Plan Authlete v2.3 |
RPS per service |
| Free |
Free |
5 |
| Business |
Premium |
20 |
Dedicated Environment Limits
As mentioned before Dedicated Cloud environments have a fixed global limit that depends on the customer contract. For example for a customer using a dedicated environment with a 100RPS capacity the limit will enforce that limit with a grace limit of 120RPS for a couple of minutes.