Identity rate limits?

Are there rate limits for Netlify Identity? I was using it to have many users logging in as a single account (basically a custom password authentication form using gotrue-js and a pre-filled email) which would direct users to a protected page on a successful login. It worked beautifully until hitting a thousand or so logins within ~5 minutes. I understand there is a limit to the number of accounts (5 invited, or 1000 active), but this was all logins for the same account. So, did those logins count towards the 1000 active, or is there a rate limit for logins per second, and what would be the best way to allow around 5000 logins within a few minutes? Would upgrading to Level 1 Identity have any impact on this? Or is there a way to perhaps invalidate an authenticated user after they’ve been directed to the gated content so they would be logged out and not count as active users? Is this simply the wrong approach and there’s a better way to have a custom designed password login without limits? Thanks in advance.

We do have rate limits around number of API calls per minute, which is not related to number of identity logins possible on your site; changing Identity levels should not impact how the API behaves including around rate limits - higher levels change how many total logins you can have configured, and a few other features like custom email sending addresses.

A thousand logins in 5 minutes sounds likely to be hitting that API rate limit. Could you let me know what exactly failed in that scenario (e.g. “I saw HTTP 429 rate limited responses from API call https://the-real-url”), so I can figure out the feasibility of increasing?

Unfortunately I didn’t get a chance to record a proper response, my error handler didn’t output it correctly, and I had to very quickly remove the authentication entirely due to the nature of running a live event. The page is dead most of the time but at certain times needs to handle thousands of new users within minutes. Netlify has worked beautifully in the past without using Identity, only trouble now is because this is the first time using Identity. The website itself never went down during the whole process, just the authentication stopped returning successful logins. The event was running on https://cnb.live and we are planning to run more events of similar or higher traffic in the future if we can work out a solution. Thanks.

Thanks! We’re still looking for a bit more information to track things down. I don’t see thousands of requests in any small time frame in the past week for that hostname, so having a bit of trouble tracking things down - could you help me understand when this happened (timezone + approximate timestamp)? Armed with that info we should see the cause and be able to help estimate whether it’ll happen again or not and/or if some config change on our side or yours might help.

No problem. It was June 4th at almost exactly 1:30pm EST / 10:30am PDT.

Hey @interphased,
Thanks for sharing that- helped me find logs to show that you were definitely rate limited. I don’t believe we have documented rate limits for Identity, but our code seems to say that the limit is 30 requests/5 min. I will ask for confirmation when our engineers are back in the “office” on Monday. I don’t believe Identity Level 1 would change that, though it may be negotiable as part of an enterprise plan. If that’s something you might be interested in, let me know and I’d be happy to ask.

One possible alternative that may be worth looking into is the API that backs Netlify Identity, which is open source:

It looks like there is a GOTRUE_RATE_LIMITER_HEADER that’s configurable there.

Just got confirmation that the rate limit is 30 requests per 5 minutes per IP address.

Great. Thank you for all the support. I will not look into Enterprise at this time, but now that I know the limits I can more intelligently plan my web applications. I have a feeling part of the reason there was an issue (if this is truly requests per IP address - not per account) is because a lot of users connected via the same work VPN so they would’ve had the same IP. I’ll have to look into other options for this use case, such as a basic level 1 serverless function. There’s no rate limits for that I’d need to be aware of, correct? 2 million requests / 1000 hours seems like more than enough.

I have a feeling part of the reason there was an issue (if this is truly requests per IP address - not per account) is because a lot of users connected via the same work VPN so they would’ve had the same IP.

Ah, yes that would explain! And good idea re: serverless- handling the call to Netlify Identity’s auth endpoint from functions with different IP addresses could definitely be a solution there. No rate limits that I know of.