This article explains the error that occurs when an end user attempts to authenticate via SMS or email passwordless and is redirected to a generic error page. A 429 (Too Many Requests) status is observed in the web browser console, and the following error is recorded in the logs:

"type": "api_limit", "description": "You passed the limit of allowed calls to '/u/login/passwordless-<connection_type>-challenge'"

• Universal Login
• Passwordless Authentication
• Rate Limits

The error occurs because the platform-level rate limit for the endpoint is five requests per minute. This limit is reached when an incorrect One-Time Password (OTP) is entered five times within a short period. This might happen due to delayed message delivery, a weak cellular or network signal, or other factors prompting repeated attempts.

The platform-level rate limit cannot be modified, and the redirect to the generic error page cannot be prevented once the limit is reached. Apply the following workarounds to improve the authentication experience:

Customize the Universal Login text:

1. In the Auth0 Dashboard, choose Branding > Universal Login > Edit Text and Translations from the navigation menu.
2. Select the respective passwordless prompt (for example, login-passwordless).
3. Select the respective passwordless screen (for example, login-passwordless-otp-sms or login-passwordless-email-code).
4. Update the existing description or error message text to advise the user to wait before trying again.

Replace the generic error page:

1. Choose Tenant Settings > General > Error Pages from the navigation menu.
2. Select Custom.
3. Enter the URL for the custom error page.

Please feel free to consult our Rate Limit Policy for more information on rate limits: Rate Limit Configurations.