Rate Limit Policy

Rate Limit Policy

Overview

Authlete uses rate limits to protect our platform and ensure high availability and performance for our customers. This document provides an overview of the types of rate limits we enforce in order to allow customers to plan accordingly when building their applications.

Types of Rate Limits

In order to ensure that the the platform is available and stable we use different types of limits but as general rule limits apply to all calls to Authlete APIs and once a limit is reached requests will be rate limited meaning they will not be executed and Authlete will return a response with status code 429.

The following is a description of the different types of rate limits we apply and when we use them.

  • Environment Limits: This is a fixed global limit that ensures the total number of requests received in an environment do not exceed the capacity deployed. This limit is used in Enterprise Plans using Dedicated Cloud deployments where customers contract a specific capacity, ie. 1500 RPS, and it is focused on the API endpoints used in the authorization process (/auth/*)
  • Service Limits: This is a limit that controls the maximum number of requests made to the API within the context of a service. In this case the limit will depend on the subscription plan and the limit will be applied regardless of the capacity available in the environment. This limit is enforced in our Shared Cloud deployments for Free and Business Plans.
  • Requester Limits: This is a limit intended to be our first line of defense from rogue or faulty actors. It is applied based on the requester IP Address and the requester API key or token. This limit is applied only in our Shared Cloud offering, where it is generally set to 20 RPS.
  • User Limits: This limit is focused on the interactions that users have via Authlete’s Developer Console and other web applications. The limit is applied based on the user identity and it is enforced in all environments.

The following table provides a summary of the limits and where they are used

Type of Limit Key Limit Shared/Public Cloud Dedicated/Private Cloud
Environment - Capacity contracted
Service Service ID Organization or Service Owner Plan
Requester IP Address
API Key
API Token
20 RPS
User User ID 5 rps

Burst or Grace Limits

Both Environment and Service limits include a grace allowance, permitting up to 20% additional requests for a limited period—typically up to 3 minutes—to manage sudden load bursts before the strict rate limit is enforced.

Rate Limit Quotas

Shared Cloud Service Limits

The following table shows the rate limits enforced in Shared Cloud based on the plan of the organization or service owner the service belongs to:

Plan Authlete v3.0 Plan Authlete v2.3 RPS per service
Free Free 5
Business Premium 20

Dedicated Environment Limits

As mentioned before Dedicated Cloud environments have a fixed global limit that depends on the customer contract. For example for a customer using a dedicated environment with a 100RPS capacity the limit will enforce that limit with a grace limit of 120RPS for a couple of minutes.