PublicArchive/supabase
2
0
Fork 0
mirror of https://github.com/supabase/supabase.git synced 2026-05-10 02:39:56 -04:00
Code Issues Packages Projects Releases Wiki Activity
Files
create-pull-request/patch
supabase/apps/docs/content/_partials/auth_rate_limits.mdx
T
Taryn King cfbb73c60f docs: improve clarity of auth rate limits (#43618) 
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.

YES

## What kind of change does this PR introduce?

Doc update to improve clarity of auth rate limits.

---------

Co-authored-by: Chris Chinchilla <chris.ward@supabase.io>
2026-03-16 14:37:50 +00:00

12 lines
5.5 KiB
Plaintext
Raw Permalink Blame History

| Operation | Path | Limited By | Customizable | Limit |
| ---------------------------------- | -------------------------------------------------------------- | ------------------------------------- | ---------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| Endpoints that trigger email sends | `/auth/v1/signup` `/auth/v1/recover` `/auth/v1/user` | Sum of combined requests project-wide | Custom SMTP Only | <SharedData data="config">auth.rate_limits.email.inbuilt_smtp_per_hour</SharedData> emails per hour with the built-in email provider. You can only change this with a custom SMTP setup. The rate limit is only applied on `/auth/v1/user` if this endpoint is called to update the user's email address. |
| Send One-Time-Passwords (OTP) | `/auth/v1/otp` | Sum of combined requests project-wide | Yes | Defaults to <SharedData data="config">auth.rate_limits.otp.requests_per_hour</SharedData> OTPs per hour. |
| Send OTPs or magic links | `/auth/v1/otp` | Last request of the user | Yes | Defaults to <SharedData data="config">auth.rate_limits.otp.period</SharedData> window before a new request is allowed to the same user. |
| Signup confirmation request | `/auth/v1/signup` | Last request of the user | Yes | Defaults to <SharedData data="config">auth.rate_limits.signup_confirmation.period</SharedData> window before a new request is allowed to the same user. |
| Password Reset Request | `/auth/v1/recover` | Last request of the user | Yes | Defaults to <SharedData data="config">auth.rate_limits.password_reset.period</SharedData> window before a new request is allowed to the same user. |
| Verification requests | `/auth/v1/verify` | IP Address | No | <SharedData data="config">auth.rate_limits.verification.requests_per_hour</SharedData> requests per hour (with bursts up to <SharedData data="config">auth.rate_limits.verification.requests_burst</SharedData> requests) |
| Token refresh requests | `/auth/v1/token` | IP Address | No | <SharedData data="config">auth.rate_limits.token_refresh.requests_per_hour</SharedData> requests per hour (with bursts up to <SharedData data="config">auth.rate_limits.token_refresh.requests_burst</SharedData> requests) |
| Create or Verify an MFA challenge | `/auth/v1/factors/:id/challenge` `/auth/v1/factors/:id/verify` | IP Address | No | <SharedData data="config">auth.rate_limits.mfa.requests_per_hour</SharedData> requests per hour (with bursts up to <SharedData data="config">auth.rate_limits.verification.mfa</SharedData> requests) |
| Anonymous sign-ins | `/auth/v1/signup` | IP Address | No | <SharedData data="config">auth.rate_limits.anonymous_signin.requests_per_hour</SharedData> requests per hour (with bursts up to <SharedData data="config">auth.rate_limits.anonymous_signin.requests_burst</SharedData> requests). Rate limit only applies if this endpoint is called without passing in an email or phone number in the request body. |
Reference in New Issue View Git Blame Copy Permalink