diff --git a/apps/docs/content/_partials/auth_rate_limits.mdx b/apps/docs/content/_partials/auth_rate_limits.mdx
index b8d2debdc2..e4b7d7e531 100644
--- a/apps/docs/content/_partials/auth_rate_limits.mdx
+++ b/apps/docs/content/_partials/auth_rate_limits.mdx
@@ -1,14 +1,11 @@
-| Endpoint | Path | Limited By | Rate Limit |
-| ------------------------------------------------ | -------------------------------------------------------------- | ------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| All endpoints that send emails | `/auth/v1/signup` `/auth/v1/recover` `/auth/v1/user`[^1] | Sum of combined requests | Defaults to 4 emails per hour as of 14th July 2023. As of 21 Oct 2023, this has been updated to auth.rate_limits.email.inbuilt_smtp_per_hour emails per hour. You can only change this with your own custom SMTP setup. |
-| All endpoints that send One-Time-Passwords (OTP) | `/auth/v1/otp` | Sum of combined requests | Defaults to auth.rate_limits.otp.requests_per_hour OTPs per hour. Is customizable. |
-| Send OTPs or magic links | `/auth/v1/otp` | Last request of the user | Defaults to auth.rate_limits.otp.period window before a new request is allowed to the same user. Is customizable. |
-| Signup confirmation request | `/auth/v1/signup` | Last request of the user | Defaults to auth.rate_limits.signup_confirmation.period window before a new request is allowed to the same user. Is customizable. |
-| Password Reset Request | `/auth/v1/recover` | Last request of the user | Defaults to auth.rate_limits.password_reset.period window before a new request is allowed to the same user. Is customizable. |
-| Verification requests | `/auth/v1/verify` | IP Address | auth.rate_limits.verification.requests_per_hour requests per hour (with bursts up to auth.rate_limits.verification.requests_burst requests) |
-| Token refresh requests | `/auth/v1/token` | IP Address | auth.rate_limits.token_refresh.requests_per_hour requests per hour (with bursts up to auth.rate_limits.token_refresh.requests_burst requests) |
-| Create or Verify an MFA challenge | `/auth/v1/factors/:id/challenge` `/auth/v1/factors/:id/verify` | IP Address | auth.rate_limits.mfa.requests_per_hour requests per hour (with bursts up to auth.rate_limits.verification.mfa requests) |
-| Anonymous sign-ins | `/auth/v1/signup`[^2] | IP Address | auth.rate_limits.anonymous_signin.requests_per_hour requests per hour (with bursts up to auth.rate_limits.anonymous_signin.requests_burst requests) |
-
-[^1]: The rate limit is only applied on `/auth/v1/user` if this endpoint is called to update the user's email address.
-[^2]: The rate limit is only applied on `/auth/v1/signup` if this endpoint is called without passing in an email or phone number in the request body.
+| Operation | Path | Limited By | Customizable | Limit |
+| ---------------------------------- | -------------------------------------------------------------- | ------------------------------------- | ---------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| Endpoints that trigger email sends | `/auth/v1/signup` `/auth/v1/recover` `/auth/v1/user` | Sum of combined requests project-wide | Custom SMTP Only | auth.rate_limits.email.inbuilt_smtp_per_hour emails per hour with the built-in email provider. You can only change this with a custom SMTP setup. The rate limit is only applied on `/auth/v1/user` if this endpoint is called to update the user's email address. |
+| Send One-Time-Passwords (OTP) | `/auth/v1/otp` | Sum of combined requests project-wide | Yes | Defaults to auth.rate_limits.otp.requests_per_hour OTPs per hour. |
+| Send OTPs or magic links | `/auth/v1/otp` | Last request of the user | Yes | Defaults to auth.rate_limits.otp.period window before a new request is allowed to the same user. |
+| Signup confirmation request | `/auth/v1/signup` | Last request of the user | Yes | Defaults to auth.rate_limits.signup_confirmation.period window before a new request is allowed to the same user. |
+| Password Reset Request | `/auth/v1/recover` | Last request of the user | Yes | Defaults to auth.rate_limits.password_reset.period window before a new request is allowed to the same user. |
+| Verification requests | `/auth/v1/verify` | IP Address | No | auth.rate_limits.verification.requests_per_hour requests per hour (with bursts up to auth.rate_limits.verification.requests_burst requests) |
+| Token refresh requests | `/auth/v1/token` | IP Address | No | auth.rate_limits.token_refresh.requests_per_hour requests per hour (with bursts up to auth.rate_limits.token_refresh.requests_burst requests) |
+| Create or Verify an MFA challenge | `/auth/v1/factors/:id/challenge` `/auth/v1/factors/:id/verify` | IP Address | No | auth.rate_limits.mfa.requests_per_hour requests per hour (with bursts up to auth.rate_limits.verification.mfa requests) |
+| Anonymous sign-ins | `/auth/v1/signup` | IP Address | No | auth.rate_limits.anonymous_signin.requests_per_hour requests per hour (with bursts up to auth.rate_limits.anonymous_signin.requests_burst requests). Rate limit only applies if this endpoint is called without passing in an email or phone number in the request body. |
diff --git a/apps/docs/content/guides/auth/rate-limits.mdx b/apps/docs/content/guides/auth/rate-limits.mdx
index 1233f2c06b..dc543045bd 100644
--- a/apps/docs/content/guides/auth/rate-limits.mdx
+++ b/apps/docs/content/guides/auth/rate-limits.mdx
@@ -3,7 +3,7 @@ title: 'Rate limits'
subtitle: 'Rate limits protect your services from abuse'
---
-Supabase Auth enforces rate limits on endpoints to prevent abuse. Some rate limits are [customizable](/dashboard/project/_/auth/rate-limits).
+Supabase Auth enforces rate limits on authentication endpoints to prevent abuse. Some rate limits are customizable, and you can configure them in your project [**Authentication** > **Rate Limits**](/dashboard/project/_/auth/rate-limits).
You can also manage rate limits using the Management API:
@@ -32,4 +32,14 @@ curl -X PATCH "https://api.supabase.com/v1/projects/$PROJECT_REF/config/auth" \
}'
```
+## Rate limit behavior
+
+Supabase Auth uses a token bucket algorithm for endpoint operations that are limited by IP address.
+
+Each bucket has a maximum capacity of 30 requests. When the bucket is full, brief bursts of up to 30 requests can be allowed in a short period. Once the bucket empties, requests are rate limited until tokens refill. The rate limit defines the rate at which the bucket is refilled.
+
+This means a client that has been idle will tolerate a brief spike in traffic, but sustained request above the rate limit are denied. When rate limits are exceeded, a **429 Too Many Requests** error is returned.
+
+The table below shows the rate limit quotas and additional details for authentication endpoints.
+
<$Partial path="auth_rate_limits.mdx" />