<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Direct Authentication Rate Limit with MFA OTP Flow
Feb 10, 2026
Okta Classic Engine
Okta Identity Engine
API Access Management
Overview

This article clarifies an issue where a rate limit error occurs when a user attempts to authenticate using Direct Authentication with One-Time Password (OTP) Multi-Factor Authentication (MFA) Flow. The following error message is displayed:

 

API call exceeded rate limit due to too many requests

 

Applies To
  • Direct Authentication
  • Multi-Factor Authentication (MFA)
  • One-Time Password (OTP)
Cause

A hard rate limit of five requests per five minutes is enforced for this authentication method. This limit cannot be exceeded or modified. This specific rate limit is not visible on the Rate Limits dashboard and does not trigger warnings or violations in that interface.

Solution

To resolve this issue, ensure that authentication attempts do not exceed the limit of five requests within a five-minute window. If the error occurs, the user must wait for the five-minute period to expire before attempting to sign in again using the same authenticator method. 

NOTE: The rate limit applies only to the affected authenticator; other authenticators may still be used to sign the user in.

 

Recommended content

Still looking for help?
Loading
Direct Authentication Rate Limit with MFA OTP Flow