Rate Limiting
LumoAuth applies rate limiting to protect endpoints from abuse, brute force attacks, and excessive load. Limits are enforced per organization, per IP, and per client or user depending on the endpoint. When a limit is hit, the server returns HTTP 429 Too Many Requests with a Retry-After header.
Rate Limit Tiers
| Endpoint Category | Rate Limit | Window |
|---|---|---|
| Login | 10 requests | Per minute per IP |
| Token | 30 requests | Per minute per client |
| Registration | 5 requests | Per minute per IP |
| Password Reset | 3 requests | Per minute per email |
| MFA Verification | 5 requests | Per minute per user |
| API (authenticated) | 100 requests | Per minute per token |
| API (unauthenticated) | 20 requests | Per minute per IP |
| SCIM | 100 requests | Per minute per token |
| Webhooks | N/A | Outbound, not rate-limited |
Rate Limit Headers
All API responses include rate limit headers:
X-RateLimit-Limit: 100
X-RateLimit-Remaining: 95
X-RateLimit-Reset: 1706400060
| Header | Description |
|---|---|
X-RateLimit-Limit | Maximum requests allowed in the window |
X-RateLimit-Remaining | Requests remaining in the current window |
X-RateLimit-Reset | Unix timestamp when the window resets |
Rate Limit Exceeded
When a rate limit is exceeded, the API returns:
HTTP/1.1 429 Too Many Requests
Retry-After: 30
{
"error": "rate_limit_exceeded",
"error_description": "Too many requests. Try again in 30 seconds.",
"retry_after": 30
}
Handling Rate Limits
async function apiCallWithRetry(url, options, maxRetries = 3) {
for (let attempt = 0; attempt < maxRetries; attempt++) {
const response = await fetch(url, options);
if (response.status === 429) {
const retryAfter = parseInt(response.headers.get('Retry-After') || '5');
await new Promise(r => setTimeout(r, retryAfter * 1000));
continue;
}
return response;
}
throw new Error('Rate limit exceeded after max retries');
}
IP-Based Protection
In addition to rate limits, LumoAuth tracks IP behavior:
| Protection | Description |
|---|---|
| Progressive delays | Increasing wait times after failed attempts from same IP |
| Temporary IP blocks | IPs with excessive failures are temporarily blocked |
| Trusted IP whitelisting | Exempt specific IP ranges from rate limits |
Configure trusted IPs at /orgs/{orgId}/portal/configuration/adaptive-auth.
Related Guides
- Security Overview - Full security features
- Adaptive MFA - Risk-based authentication
- Security Best Practices - Deployment recommendations