The /userinfo endpoint returns 429 Error codes for exceeding rate limits.

The following api_limit tenant logs can be a signal of this issue:

  "type": "api_limit",
  "description": "You passed the limit of allowed calls to `/userinfo` with the same user.",

• Rate Limits
• /userinfo Endpoint
• 429 Error Code

The number of calls to the /userinfo endpoint exceeds the Rate Limits Policy.

Please review Auth0's Rate Limits Policy. Auth0 highly recommends handling Rate Limits via the Application's code by using the information from the HTTP Headers.

All Auth0 services include built-in rate limiting and automated blocking to mitigate advanced Distributed Denial-of-Service (DDoS) and authentication attacks. The Auth0 network infrastructure is protected against volumetric attacks by its cloud providers, in addition to a dedicated DDoS mitigation service. Furthermore, to protect the platform, Auth0 imposes rate limits on APIs and database calls.

More information about specific rate limits here:

• Management API Endpoint Rate Limits
• Authentication API Endpoint Rate Limits

To avoid 429 errors on the /userinfo endpoint, consider requesting an ID Token to retrieve user information. By caching this ID Token, it is possible to reduce the calls to /userinfo. 

Alternatively, it is possible to cache the data returned from the /userinfo request so fewer API calls are performed. However, the ID Token is our suggested approach.

More information on retrieving an ID Token can be found in the Get ID Tokens article.

Related References

• Rate Limits Policy
• HTTP Headers
• Management API Endpoint Rate Limits
• Authentication API Endpoint Rate Limits
• ID Token
• Get ID Tokens