WorkOS APIs are rate limited to ensure that they are fast for everyone. If you find yourself getting 429 errors, double check your integration to make sure you aren’t making unnecessary requests.
When a request exceeds its rate limit, WorkOS returns a 429 Too Many Requests response. For limits enforced at the WorkOS edge, the JSON response body has this shape:
The code is stable, while message is a human-readable explanation that may change. Some endpoint-specific limits are enforced by the API origin and return a response with only a human-readable message. For example, the GET /directory_users per-directory limit uses this response shape:
Use the HTTP status code instead of matching an exact message.
Origin responses include an x-request-id header.
When you receive a 429 response, use exponential backoff and randomize each delay to prevent synchronized retries. Increase the delay after each response, limit the total number of retries, and do not continuously retry while waiting. Cap the delay at the published rate-limit window. If you cannot track your request timestamps, wait one full window before retrying. Limits listed as per 60 seconds use a rolling 60-second window, so capacity becomes available as older requests leave the window.
| Name | Path | Limit |
|---|---|---|
| All requests | * | 6,000 requests per 60 seconds per API key |
This rate limit applies to all environments, staging and production. Exceptions to the general rate limit are listed below.
Authenticated API requests are counted per API key, not per source IP address. Spreading requests across multiple IP addresses does not increase your effective limit.
| Name | Path | Limit |
|---|---|---|
| Get Authorization URL | /sso/authorize | 1,000 requests per 60 seconds per connection |
| Name | Path | Limit |
|---|---|---|
| Directory Users | /directory_users | 4 requests per second per directory |
| Name | Path | Limit |
|---|---|---|
| Delete Organization | /organizations/* | 50 requests per 60 seconds per API key |
Rate limiting for AuthKit APIs are enforced on a per environment basis.
| Name | Path | Limit |
|---|---|---|
| Reads | /user_management/* | 1,000 requests per 10 seconds |
| Writes | /user_management/* | 500 requests per 10 seconds |
| Authentication | /user_management/authenticate | 10 requests per 60 seconds per email or challenge ID |
| Magic Auth | /user_management/magic_auth/send | 3 requests per 60 seconds per email |
| Email verification | /user_management/:id/email_verification/send | 3 requests per 60 seconds per user |
| Password reset | /user_management/password_reset/send | 3 requests per 60 seconds per email |
| Name | Limits |
|---|---|
| Reads | 1,000 requests per 10 seconds |
| Writes | 500 requests per 10 seconds |
| SSO sign-ins | 3 requests per 60 seconds per IP address |
| Email sign-ins | 10 requests per 60 seconds per email and IP address |
| Magic Auth sign-ins | 10 requests per 60 seconds per IP address and challenge ID |
| Magic Auth code requests | 3 requests per 60 seconds per IP address and email |