<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
429 Response from Token Endpoint - user_rate_limited Events in System Logs
Oct 14, 2025
Okta Classic Engine
Okta Identity Engine
API Access Management
Overview

When an application uses the Resource Owner Password Grant (ROPG) to authenticate the same user more than four times in one second, it will receive a 429 response, and System Logs will contain a log with the `user_rate_limited` event. This is not configurable and will require reevaluating the implementation.

Applies To
  • OAuth 2.0 
  • Resource Owner Password Grant (ROPG)
Cause

This error is caused by a specific per-user rate limit on the /oauth2/v1/token endpoint for the Resource Owner Password Grant. An application will trigger this error if it makes more than four authentication requests per second for the same user. This security control is in place to protect individual user accounts from brute force attacks and is specific to this OAuth 2.0 grant. This is a per-user rate limit, and is enforced without regard to the authorization server or client user.

Solution

The solution involves reviewing the application's authentication design and migrating to a more secure and robust grant type.

  1. Review Application Logic and Token Caching

Before making other changes, investigate why the application is making so many token requests for a single user. Access tokens are designed to be long-lived. The application should:

    • Request a token once upon successful login.
    • Reuse the access_token for API calls until it expires.
    • Use the refresh_token to get a new token pair when the access token expires, without requiring the user to re-enter their credentials. 

  1. Migrate to a Recommended Grant Type (Best Practice) 

Okta recommends migrating away from ROPG entirely due to its inherent security risks (direct handling of passwords).

    • For applications with an interactive user
      • The most secure method is the Authorization Code Flow (for traditional web applications) or Authorization Code Flow with PKCE (for single-page and native applications). This flow redirects the user to the Okta sign-in page and never exposes user credentials to the application.
    • For machine-to-machine services
      • Use the Client Credentials grant, which is designed specifically for non-interactive clients. Note that this does not return an ID token, and therefore may not work for programmatic testing use-cases.

Related References

Recommended content

Still looking for help?
Loading
429 Response from Token Endpoint - user_rate_limited Events in System Logs