Auth

Rate limits

Rate limits protect your services from abuse

Supabase Auth enforces rate limits on endpoints to prevent abuse. Some rate limits are customizable.

You can also manage rate limits using the Management API:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
# Get your access token from https://supabase.com/dashboard/account/tokensexport SUPABASE_ACCESS_TOKEN="your-access-token"export PROJECT_REF="your-project-ref"# Get current rate limitscurl -X GET "https://api.supabase.com/v1/projects/$PROJECT_REF/config/auth" \  -H "Authorization: Bearer $SUPABASE_ACCESS_TOKEN" \  | jq 'to_entries | map(select(.key | startswith("rate_limit_"))) | from_entries'# Update rate limitscurl -X PATCH "https://api.supabase.com/v1/projects/$PROJECT_REF/config/auth" \  -H "Authorization: Bearer $SUPABASE_ACCESS_TOKEN" \  -H "Content-Type: application/json" \  -d '{    "rate_limit_anonymous_users": 10,    "rate_limit_email_sent": 10,    "rate_limit_sms_sent": 10,    "rate_limit_verify": 10,    "rate_limit_token_refresh": 10,    "rate_limit_otp": 10,    "rate_limit_web3": 10  }'
EndpointPathLimited ByRate Limit
All endpoints that send emails/auth/v1/signup /auth/v1/recover /auth/v1/user1Sum of combined requestsDefaults to 4 emails per hour as of 14th July 2023. As of 21 Oct 2023, this has been updated to 2 emails per hour. You can only change this with your own custom SMTP setup.
All endpoints that send One-Time-Passwords (OTP)/auth/v1/otpSum of combined requestsDefaults to 30 OTPs per hour. Is customizable.
Send OTPs or magic links/auth/v1/otpLast requestDefaults to 60 seconds window before a new request is allowed. Is customizable.
Signup confirmation request/auth/v1/signupLast requestDefaults to 60 seconds window before a new request is allowed. Is customizable.
Password Reset Request/auth/v1/recoverLast requestDefaults to 60 seconds window before a new request is allowed. Is customizable.
Verification requests/auth/v1/verifyIP Address360 requests per hour (with bursts up to 30 requests)
Token refresh requests/auth/v1/tokenIP Address1800 requests per hour (with bursts up to 30 requests)
Create or Verify an MFA challenge/auth/v1/factors/:id/challenge /auth/v1/factors/:id/verifyIP Address15 requests per hour (with bursts up to requests)
Anonymous sign-ins/auth/v1/signup2IP Address30 requests per hour (with bursts up to 30 requests)

Footnotes

  1. The rate limit is only applied on /auth/v1/user if this endpoint is called to update the user's email address.

  2. The rate limit is only applied on /auth/v1/signup if this endpoint is called without passing in an email or phone number in the request body.