On This Page
Additional rate limits
This page provides Okta's additional limits on:
- Concurrent requests
- End-user rate limit
- Home page endpoints
- Per-user limits
- Okta-generated email messages
These limits are part of the Okta Rate limit policy.
Note:
- In addition to the rate limits listed on this page, Okta applies rate limits per API, divided into three categories. See the Rate limit overview.
- To learn more about how to manage rate limits, see our best practices.
- You can expand Okta rate limits upon request. To learn how, see Request exceptions and DynamicScale rate limits.
Concurrent rate limits
To protect the service for all customers, Okta enforces concurrent rate limits, which is a limit on the number of simultaneous transactions. Concurrent rate limits are distinct from the org-wide, per-minute API rate limits, which measure the total number of transactions per minute. Transactions are typically very short-lived. Even very large bulk loads rarely use more than 10 simultaneous transactions at a time.
For concurrent rate limits, traffic is measured in three different areas. Counts in one area aren't included in counts for the other two:
- For agent traffic, Okta has set the limit based on typical org use. This limit varies from agent to agent.
- For Office365 traffic, the limit is 75 concurrent transactions per org.
- For all other traffic, including API requests, the limit is described in the table below.
| Developer (free) | Developer (paid) | One App | Enterprise | Workforce Identity |
|---|---|---|---|---|
| 15 | 35 | 35 | 75 | 75 |
The first request to exceed the concurrent limit returns an HTTP 429 error, and the first error every 60 seconds is written to the log. Reporting concurrent rate limits once a minute keeps log volume manageable.
Note: Under normal circumstances, customers don't exceed the concurrency limits. Exceeding them may be an indication of a problem that requires investigation.
These rate limits apply to all new Okta organizations. For orgs created before 2018-05-17, the previous rate limits still apply.
Note: For information on possible interaction between Inline Hooks and concurrent rate limits, see Inline hooks and concurrent rate limits.
End-user rate limits
Okta limits the number of requests from the Admin Console and End-User Dashboard to 40 requests per user per 10 seconds per endpoint. This rate limit protects users from each other and from other API requests in the system.
If a user exceeds this limit, they receive an HTTP 429 error response without affecting other users in your org. A message is written to the System Log that indicates that the end-user rate limit was encountered.
Home page endpoints and per-minute limits
The following endpoints are used by the Okta home page for authentication and user sign in and have org-wide rate limits:
| Okta Home Page Endpoints | Developer (free) | Developer (paid) | One App | Enterprise | Workforce Identity |
|---|---|---|---|---|---|
/app/{app}/{key}/sso/saml | 100 | 300 | *300 | *600 | 750 |
/app/office365/{key}/sso/wsfed/active | N/A | N/A | N/A | 2000 | 1000 |
/app/office365/{key}/sso/wsfed/passive | N/A | N/A | N/A | 250 | 250 |
/app/template_saml_2_0/{key}/sso/saml | 100 | 300 | *300 | *600 | 2500 |
/login/do-login | 100 | 300 | 300 | 600 | 200 |
/login/login.htm | 100 | 300 | 300 | 600 | 850 |
/login/sso_iwa_auth | 100 | 300 | 300 | 600 | 500 |
/api/plugin/{protocolVersion}/form-cred/{appUserIds}/{formSiteOption} | 100 | 300 | *300 | *600 | 650 |
/api/plugin/{protocolVersion}/sites | 20 | 50 | 50 | 100 | 150 |
/bc/image/fileStoreRecord | 100 | 300 | *300 | *600 | 500 |
/bc/globalFileStoreRecord | 100 | 300 | *300 | *600 | 500 |
These rate limits apply to all new Okta organizations. For orgs created before 2018-05-17, the previous rate limits still apply.
The limits for these endpoints can be increased by purchasing the High-capacity add-on.
Per-user limits
API endpoints that take username and password credentials, including the Authentication API and the OAuth 2.0 resource owner password flow, have a per-username rate limit to prevent brute force attacks with the user's password:
| Action and Okta API Endpoint | Per User Limits (All Orgs) |
|---|---|
Authenticate the same user:/api/v1/authn | 4 per second |
Generate or refresh an OAuth 2.0 token:/oauth2/v1/token | 4 per second |
Okta-generated email message rate limits
Limits are applied on a per-recipient basis and vary by email type. The limit for some email types is no more than 30 emails per-recipient, per-minute, while other email types are configured with higher limits. These limits protect your org against denial-of-service attacks and help ensure that adequate resources are available for all customers.