How the Rate Limits Work for Authorization Servers in Okta
Last Updated:
Overview
Okta enforces rate limits differently depending on the type of authorization server used for OAuth requests. The Org Authorization Server maintains a separate rate limit bucket from Custom Authorization Servers, while all Custom Authorization Servers share a single rate limit bucket.
Applies To
- OAuth 2.0 / OpenID Connect (OIDC) applications
- Authorization Servers
- API Access Management
Solution
The Org Authorization Server maintains a separate rate limit bucket from Custom Authorization Servers. All Custom Authorization Servers, including the Default Custom Authorization Server, share the same rate limit bucket within an Okta organization.
The following example demonstrates how Okta enforces rate limits across different applications and authorization servers.
- App A uses the Org Authorization Server.
- App B uses the Default Custom Authorization Server.
- App C uses another Custom Authorization Server.
If the Org Authorization Server reaches the rate limit, Okta does not generate associated rate limit violations for App B and App C. However, if any Custom Authorization Server reaches the rate limit, Okta returns a 429 error for both App B and App C, even if an unnamed App D using a completely different Custom Authorization Server causes the violation.
