|
1 | | -| Endpoint | Path | Limited By | Rate Limit | |
2 | | -| ------------------------------------------------ | -------------------------------------------------------------- | ------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | |
3 | | -| All endpoints that send emails | `/auth/v1/signup` `/auth/v1/recover` `/auth/v1/user`[^1] | Sum of combined requests | Defaults to 4 emails per hour as of 14th July 2023. As of 21 Oct 2023, this has been updated to <SharedData data="config">auth.rate_limits.email.inbuilt_smtp_per_hour</SharedData> emails per hour. You can only change this with your own custom SMTP setup. | |
4 | | -| All endpoints that send One-Time-Passwords (OTP) | `/auth/v1/otp` | Sum of combined requests | Defaults to <SharedData data="config">auth.rate_limits.otp.requests_per_hour</SharedData> OTPs per hour. Is customizable. | |
5 | | -| Send OTPs or magic links | `/auth/v1/otp` | Last request of the user | Defaults to <SharedData data="config">auth.rate_limits.otp.period</SharedData> window before a new request is allowed to the same user. Is customizable. | |
6 | | -| Signup confirmation request | `/auth/v1/signup` | Last request of the user | Defaults to <SharedData data="config">auth.rate_limits.signup_confirmation.period</SharedData> window before a new request is allowed to the same user. Is customizable. | |
7 | | -| Password Reset Request | `/auth/v1/recover` | Last request of the user | Defaults to <SharedData data="config">auth.rate_limits.password_reset.period</SharedData> window before a new request is allowed to the same user. Is customizable. | |
8 | | -| Verification requests | `/auth/v1/verify` | IP Address | <SharedData data="config">auth.rate_limits.verification.requests_per_hour</SharedData> requests per hour (with bursts up to <SharedData data="config">auth.rate_limits.verification.requests_burst</SharedData> requests) | |
9 | | -| Token refresh requests | `/auth/v1/token` | IP Address | <SharedData data="config">auth.rate_limits.token_refresh.requests_per_hour</SharedData> requests per hour (with bursts up to <SharedData data="config">auth.rate_limits.token_refresh.requests_burst</SharedData> requests) | |
10 | | -| Create or Verify an MFA challenge | `/auth/v1/factors/:id/challenge` `/auth/v1/factors/:id/verify` | IP Address | <SharedData data="config">auth.rate_limits.mfa.requests_per_hour</SharedData> requests per hour (with bursts up to <SharedData data="config">auth.rate_limits.verification.mfa</SharedData> requests) | |
11 | | -| Anonymous sign-ins | `/auth/v1/signup`[^2] | IP Address | <SharedData data="config">auth.rate_limits.anonymous_signin.requests_per_hour</SharedData> requests per hour (with bursts up to <SharedData data="config">auth.rate_limits.anonymous_signin.requests_burst</SharedData> requests) | |
12 | | - |
13 | | -[^1]: The rate limit is only applied on `/auth/v1/user` if this endpoint is called to update the user's email address. |
14 | | -[^2]: The rate limit is only applied on `/auth/v1/signup` if this endpoint is called without passing in an email or phone number in the request body. |
| 1 | +| Operation | Path | Limited By | Customizable | Limit | |
| 2 | +| ---------------------------------- | -------------------------------------------------------------- | ------------------------------------- | ---------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | |
| 3 | +| Endpoints that trigger email sends | `/auth/v1/signup` `/auth/v1/recover` `/auth/v1/user` | Sum of combined requests project-wide | Custom SMTP Only | <SharedData data="config">auth.rate_limits.email.inbuilt_smtp_per_hour</SharedData> emails per hour with the built-in email provider. You can only change this with a custom SMTP setup. The rate limit is only applied on `/auth/v1/user` if this endpoint is called to update the user's email address. | |
| 4 | +| Send One-Time-Passwords (OTP) | `/auth/v1/otp` | Sum of combined requests project-wide | Yes | Defaults to <SharedData data="config">auth.rate_limits.otp.requests_per_hour</SharedData> OTPs per hour. | |
| 5 | +| Send OTPs or magic links | `/auth/v1/otp` | Last request of the user | Yes | Defaults to <SharedData data="config">auth.rate_limits.otp.period</SharedData> window before a new request is allowed to the same user. | |
| 6 | +| Signup confirmation request | `/auth/v1/signup` | Last request of the user | Yes | Defaults to <SharedData data="config">auth.rate_limits.signup_confirmation.period</SharedData> window before a new request is allowed to the same user. | |
| 7 | +| Password Reset Request | `/auth/v1/recover` | Last request of the user | Yes | Defaults to <SharedData data="config">auth.rate_limits.password_reset.period</SharedData> window before a new request is allowed to the same user. | |
| 8 | +| Verification requests | `/auth/v1/verify` | IP Address | No | <SharedData data="config">auth.rate_limits.verification.requests_per_hour</SharedData> requests per hour (with bursts up to <SharedData data="config">auth.rate_limits.verification.requests_burst</SharedData> requests) | |
| 9 | +| Token refresh requests | `/auth/v1/token` | IP Address | No | <SharedData data="config">auth.rate_limits.token_refresh.requests_per_hour</SharedData> requests per hour (with bursts up to <SharedData data="config">auth.rate_limits.token_refresh.requests_burst</SharedData> requests) | |
| 10 | +| Create or Verify an MFA challenge | `/auth/v1/factors/:id/challenge` `/auth/v1/factors/:id/verify` | IP Address | No | <SharedData data="config">auth.rate_limits.mfa.requests_per_hour</SharedData> requests per hour (with bursts up to <SharedData data="config">auth.rate_limits.verification.mfa</SharedData> requests) | |
| 11 | +| Anonymous sign-ins | `/auth/v1/signup` | IP Address | No | <SharedData data="config">auth.rate_limits.anonymous_signin.requests_per_hour</SharedData> requests per hour (with bursts up to <SharedData data="config">auth.rate_limits.anonymous_signin.requests_burst</SharedData> requests). Rate limit only applies if this endpoint is called without passing in an email or phone number in the request body. | |
0 commit comments