<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Missing Rate Limit Error When Using the Okta Auth SDK for Password Recovery
Apr 17, 2026
Okta Classic Engine
Okta Identity Engine
SDKs & Libraries
Overview

This article clarifies the observable behavior when using the .NET Okta Auth SDK to resend One-Time Password (OTP) codes via Short Message Service (SMS) or voice call during the forgot password flow.

When calling the ForgotPasswordAsync method multiple times within a minute, a "200 OK" with a "RECOVERY_CHALLENGE" status is received instead of an error. However, when making a direct endpoint call to /api/v1/authn/recovery/password with a Secure Socket Web Server (SSWS) token under the same conditions, the following error is received:

 

E0000109 "An SMS message was recently sent. Please wait 30 seconds before trying again."

 

Applies To
  • .NET Okta Auth SDK
  • One-Time Password (OTP)
  • Password recovery
  • Rate limiting
  • Okta Classic Engine
  • Okta Identity Engine (OIE)
Cause

When making a direct REST API call using an SSWS token, the request is treated as a trusted application with administrative privileges. This provides full visibility into the transaction state, leading to an explicit HTTP 429 Too Many Requests error. Conversely, when using the Auth SDK without a token, the request is treated as an untrusted public application. To prevent user enumeration and abuse, the system absorbs the rate limit backend error, refuses to expose metadata, and securely returns the standard "RECOVERY_CHALLENGE" status.

Solution

The observed behavior is expected. When calling the forgot password API without an SSWS token, specific underlying errors are intentionally abstracted to prevent information disclosure. Since the public Auth SDK always returns a success response to protect user privacy, the API response cannot be relied upon to handle the rate limit error state.

To handle rate limiting effectively, as an example solution, enforce the limit on the client side by following these guidelines:

  1. Initiate the password recovery process via the SDK, which sets the transaction state to "RECOVERY_CHALLENGE".
  2. Disable the Resend button on the front end immediately after a user requests an SMS or voice OTP.
  3. Initiate a local 30-second countdown timer before allowing the user to select the Resend button again.

For more information, refer to the Okta Authentication API documentation and the Okta Authentication SDK documentation.

Recommended content

Still looking for help?
Loading
Missing Rate Limit Error When Using the Okta Auth SDK for Password Recovery