apps/docs/content/_partials/auth_rate_limits.mdx
| Operation | Path | Limited By | Customizable | Limit |
|---|---|---|---|---|
| Endpoints that trigger email sends | /auth/v1/signup /auth/v1/recover /auth/v1/user | Sum of combined requests project-wide | Custom SMTP Only | <SharedData data="config">auth.rate_limits.email.inbuilt_smtp_per_hour</SharedData> emails per hour with the built-in email provider. You can only change this with a custom SMTP setup. The rate limit is only applied on /auth/v1/user if this endpoint is called to update the user's email address. |
| Send One-Time-Passwords (OTP) | /auth/v1/otp | Sum of combined requests project-wide | Yes | Defaults to <SharedData data="config">auth.rate_limits.otp.requests_per_hour</SharedData> OTPs per hour. |
| Send OTPs or magic links | /auth/v1/otp | Last request of the user | Yes | Defaults to <SharedData data="config">auth.rate_limits.otp.period</SharedData> window before a new request is allowed to the same user. |
| Signup confirmation request | /auth/v1/signup | Last request of the user | Yes | Defaults to <SharedData data="config">auth.rate_limits.signup_confirmation.period</SharedData> window before a new request is allowed to the same user. |
| Password Reset Request | /auth/v1/recover | Last request of the user | Yes | Defaults to <SharedData data="config">auth.rate_limits.password_reset.period</SharedData> window before a new request is allowed to the same user. |
| Verification requests | /auth/v1/verify | IP Address | No | <SharedData data="config">auth.rate_limits.verification.requests_per_hour</SharedData> requests per hour (with bursts up to <SharedData data="config">auth.rate_limits.verification.requests_burst</SharedData> requests) |
| Token refresh requests | /auth/v1/token | IP Address | No | <SharedData data="config">auth.rate_limits.token_refresh.requests_per_hour</SharedData> requests per hour (with bursts up to <SharedData data="config">auth.rate_limits.token_refresh.requests_burst</SharedData> requests) |
| Create or Verify an MFA challenge | /auth/v1/factors/:id/challenge /auth/v1/factors/:id/verify | IP Address | No | <SharedData data="config">auth.rate_limits.mfa.requests_per_hour</SharedData> requests per hour (with bursts up to <SharedData data="config">auth.rate_limits.verification.mfa</SharedData> requests) |
| Anonymous sign-ins | /auth/v1/signup | IP Address | No | <SharedData data="config">auth.rate_limits.anonymous_signin.requests_per_hour</SharedData> requests per hour (with bursts up to <SharedData data="config">auth.rate_limits.anonymous_signin.requests_burst</SharedData> requests). Rate limit only applies if this endpoint is called without passing in an email or phone number in the request body. |