This article discusses how rate limits are enforced when making OAuth requests to Okta's Authorization Servers.
- OAuth/OpenID Connect applications
- Okta Classic Engine
- Okta Identity Engine (OIE)
The Org Authorization Server has a separate Rate limit bucket from Custom Authorization Servers, and all custom Authorization Servers, which includes the Default Custom Authorization Server, in the same org count against their own shared Rate Limit bucket.
For example, suppose there are 3 OpenID Connect applications in an org:
- App A uses the Org Authorization Server.
- App B uses the Default Custom Authorization Server.
- App C uses another Custom Authorization Server.
If the Rate Limit is reached for the Org Authorization Server, there will not be any associated Rate Limit violations for App B and App C. However, if the Rate Limit is reached for any of the org's Custom Authorization Server, a 429s will be returned for both App B and App C, even if some unnamed App D that uses a completely different Custom Authorization Server is the one that caused the violation.
