lywsvip/supabase
1
0
Fork 0
mirror of https://github.com/supabase/supabase.git synced 2026-05-07 06:27:16 +08:00
Code Issues Packages Projects Releases Wiki Activity

docs: improve clarity of auth rate limits (#43618)

Browse Source 
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.

YES

## What kind of change does this PR introduce?

Doc update to improve clarity of auth rate limits.

---------

Co-authored-by: Chris Chinchilla <chris.ward@supabase.io>
This commit is contained in:
Taryn King
2026-03-16 09:37:50 -05:00
committed by GitHub
parent 68ef4097a7
commit cfbb73c60f
2 changed files with 22 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
apps/docs/content/_partials/auth_rate_limits.mdx
View File

@@ -1,14 +1,11 @@
| Endpoint | Path | Limited By | Rate Limit |
| ------------------------------------------------ | -------------------------------------------------------------- | ------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| All endpoints that send emails | `/auth/v1/signup` `/auth/v1/recover` `/auth/v1/user`[^1] | Sum of combined requests | Defaults to 4 emails per hour as of 14th July 2023. As of 21 Oct 2023, this has been updated to <SharedData data="config">auth.rate_limits.email.inbuilt_smtp_per_hour</SharedData> emails per hour. You can only change this with your own custom SMTP setup. |
| All endpoints that send One-Time-Passwords (OTP) | `/auth/v1/otp` | Sum of combined requests | Defaults to <SharedData data="config">auth.rate_limits.otp.requests_per_hour</SharedData> OTPs per hour. Is customizable. |
| Send OTPs or magic links | `/auth/v1/otp` | Last request of the user | Defaults to <SharedData data="config">auth.rate_limits.otp.period</SharedData> window before a new request is allowed to the same user. Is customizable. |
| Signup confirmation request | `/auth/v1/signup` | Last request of the user | Defaults to <SharedData data="config">auth.rate_limits.signup_confirmation.period</SharedData> window before a new request is allowed to the same user. Is customizable. |
| Password Reset Request | `/auth/v1/recover` | Last request of the user | Defaults to <SharedData data="config">auth.rate_limits.password_reset.period</SharedData> window before a new request is allowed to the same user. Is customizable. |
| Verification requests | `/auth/v1/verify` | IP Address | <SharedData data="config">auth.rate_limits.verification.requests_per_hour</SharedData> requests per hour (with bursts up to <SharedData data="config">auth.rate_limits.verification.requests_burst</SharedData> requests) |
| Token refresh requests | `/auth/v1/token` | IP Address | <SharedData data="config">auth.rate_limits.token_refresh.requests_per_hour</SharedData> requests per hour (with bursts up to <SharedData data="config">auth.rate_limits.token_refresh.requests_burst</SharedData> requests) |
| Create or Verify an MFA challenge | `/auth/v1/factors/:id/challenge` `/auth/v1/factors/:id/verify` | IP Address | <SharedData data="config">auth.rate_limits.mfa.requests_per_hour</SharedData> requests per hour (with bursts up to <SharedData data="config">auth.rate_limits.verification.mfa</SharedData> requests) |
| Anonymous sign-ins | `/auth/v1/signup`[^2] | IP Address | <SharedData data="config">auth.rate_limits.anonymous_signin.requests_per_hour</SharedData> requests per hour (with bursts up to <SharedData data="config">auth.rate_limits.anonymous_signin.requests_burst</SharedData> requests) |
[^1]: The rate limit is only applied on `/auth/v1/user` if this endpoint is called to update the user's email address.
[^2]: The rate limit is only applied on `/auth/v1/signup` if this endpoint is called without passing in an email or phone number in the request body.
| Operation | Path | Limited By | Customizable | Limit |
| ---------------------------------- | -------------------------------------------------------------- | ------------------------------------- | ---------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| Endpoints that trigger email sends | `/auth/v1/signup` `/auth/v1/recover` `/auth/v1/user` | Sum of combined requests project-wide | Custom SMTP Only | <SharedData data="config">auth.rate_limits.email.inbuilt_smtp_per_hour</SharedData> emails per hour with the built-in email provider. You can only change this with a custom SMTP setup. The rate limit is only applied on `/auth/v1/user` if this endpoint is called to update the user's email address. |
| Send One-Time-Passwords (OTP) | `/auth/v1/otp` | Sum of combined requests project-wide | Yes | Defaults to <SharedData data="config">auth.rate_limits.otp.requests_per_hour</SharedData> OTPs per hour. |
| Send OTPs or magic links | `/auth/v1/otp` | Last request of the user | Yes | Defaults to <SharedData data="config">auth.rate_limits.otp.period</SharedData> window before a new request is allowed to the same user. |
| Signup confirmation request | `/auth/v1/signup` | Last request of the user | Yes | Defaults to <SharedData data="config">auth.rate_limits.signup_confirmation.period</SharedData> window before a new request is allowed to the same user. |
| Password Reset Request | `/auth/v1/recover` | Last request of the user | Yes | Defaults to <SharedData data="config">auth.rate_limits.password_reset.period</SharedData> window before a new request is allowed to the same user. |
| Verification requests | `/auth/v1/verify` | IP Address | No | <SharedData data="config">auth.rate_limits.verification.requests_per_hour</SharedData> requests per hour (with bursts up to <SharedData data="config">auth.rate_limits.verification.requests_burst</SharedData> requests) |
| Token refresh requests | `/auth/v1/token` | IP Address | No | <SharedData data="config">auth.rate_limits.token_refresh.requests_per_hour</SharedData> requests per hour (with bursts up to <SharedData data="config">auth.rate_limits.token_refresh.requests_burst</SharedData> requests) |
| Create or Verify an MFA challenge | `/auth/v1/factors/:id/challenge` `/auth/v1/factors/:id/verify` | IP Address | No | <SharedData data="config">auth.rate_limits.mfa.requests_per_hour</SharedData> requests per hour (with bursts up to <SharedData data="config">auth.rate_limits.verification.mfa</SharedData> requests) |
| Anonymous sign-ins | `/auth/v1/signup` | IP Address | No | <SharedData data="config">auth.rate_limits.anonymous_signin.requests_per_hour</SharedData> requests per hour (with bursts up to <SharedData data="config">auth.rate_limits.anonymous_signin.requests_burst</SharedData> requests). Rate limit only applies if this endpoint is called without passing in an email or phone number in the request body. |

12
apps/docs/content/guides/auth/rate-limits.mdx
View File

@@ -3,7 +3,7 @@ title: 'Rate limits'
subtitle: 'Rate limits protect your services from abuse'
---
Supabase Auth enforces rate limits on endpoints to prevent abuse. Some rate limits are [customizable](/dashboard/project/_/auth/rate-limits).
Supabase Auth enforces rate limits on authentication endpoints to prevent abuse. Some rate limits are customizable, and you can configure them in your project [**Authentication** > **Rate Limits**](/dashboard/project/_/auth/rate-limits).
You can also manage rate limits using the Management API:
@@ -32,4 +32,14 @@ curl -X PATCH "https://api.supabase.com/v1/projects/$PROJECT_REF/config/auth" \
}'
```
## Rate limit behavior
Supabase Auth uses a token bucket algorithm for endpoint operations that are limited by IP address.
Each bucket has a maximum capacity of 30 requests. When the bucket is full, brief bursts of up to 30 requests can be allowed in a short period. Once the bucket empties, requests are rate limited until tokens refill. The rate limit defines the rate at which the bucket is refilled.
This means a client that has been idle will tolerate a brief spike in traffic, but sustained request above the rate limit are denied. When rate limits are exceeded, a **429 Too Many Requests** error is returned.
The table below shows the rate limit quotas and additional details for authentication endpoints.
<$Partial path="auth_rate_limits.mdx" />