Contents
Overview
To protect Duo for all customers, Duo's service is subject to rate limits. Duo Security reserves the right to modify these rate limits at any time by updating the terms on this site.
The Duo rate limits are divided into the following categories:
Each category has rate limits that are enforced individually.
One-To-Many Object Limits
Duo's service has the following one-to-many object limits:
- 100 phones per user
- 100 groups per user
- 100 OTP tokens per user
- 100 U2F tokens per user
- 100 WebAuthn Credentials per user or administrator
- 100 bypass codes per user
- 100 users per phone
- 100 users per OTP token
- 100 groups assigned to an application
- 400 groups selected to sync per LDAP or Azure directory
The Duo Admin Panel shows an error if a create or update operation exceeds one of these limits.
For example:
- When trying to attach the 101st user to a phone, the Duo Admin Panel will indicate an error "Cannot use phone for more than 100 users".
- When using the Admin API, you will receive a 500 Internal Sever Error when POSTing a change that would violate these limits.
500 Internal Server Error
{
"code": 50001,
"message": "Unknown internal server error",
"stat": "FAIL"
}
SSO Static Rate Limits
Duo Single Sign-On (SSO) has an automatic mechanism that delays or rejects customers or IPs that are making too many requests to SSO endpoints.
As the request count nears the limit, requests will be delayed. At the limit, requests will be rejected with an HTTP 429 status code response.
When a threshold is exceeded, requests will start to be rate limited. There is a soft limit before the threshold where requests will be delayed (async sleep) in an attempt to slow down the client before it rejects the request.
Static rate limiting is enforced on all SSO endpoints that are:
- authentication entry points (for example, the first handler in SAML/OIDC).
- authentication “pause points” where a failed handler doesn’t fail.
- non-authentication endpoints.
There are three different rate limiting mechanisms in place that are evaluated in the following order:
- Per IP: Applies to a single IP across all customers on a deployment.
- Per AKEY + IP: Applies to a single IP for a single customer.
- Per AKEY: Applies to all IPs for a single customer.
Auth API Per-User Limits
Default values for Auth API per-user limits:
- Duo Free: 10 authentications per user per minute.
- Duo Essentials, Duo Advantage, Duo Premier: 30 authentications per user per minute.