Docs

Rate limits

Clerk rate limits certain endpoints to help protect users against brute-force attacks or to stop abuse of Clerk's platform.

Rate limiting is based on IP addresses.

Errors

If you receive a 429 error code, your IP address has been rate limited. All subsequent requests to that specific endpoint coming from your IP address will be blocked for a given amount of time.

Requests that have been rate limited will receive the Retry-After response header, which contains the number of seconds after which the block expires.

Frontend API requests

Frontend API requests are rate limited per user.

  • Name
    Create SignIn
    Type
    /v1/sign_ins
    Description

    7 requests per 10 seconds

  • Name
    Create SignUp
    Type
    /v1/sign_ups
    Description

    7 requests per 10 seconds

  • Name
    Attempt SignIn
    Type
    /v1/sign_ins/attempt_(first|second)_factor
    Description

    3 requests per 10 seconds

  • Name
    Attempt SignUp
    Type
    /v1/sign_ups/attempt_verification
    Description

    3 requests per 10 seconds

Backend API requests

Backend API requests are rate limited per application instance.

  • Name
    Create users
    Type
    POST /v1/users
    Description

    20 requests per 10 seconds

  • Name
    All other endpoints
    Description

    100 requests per 10 seconds

  • Name
    Get the JWKS of the instance
    Type
    GET /v1/jwks
    Description

    No rate limit

Note

The currentUser() helper uses the GET /v1/users/me endpoint, so it is subject to the 100 requests per 10 seconds rate limit.

Feedback

What did you think of this content?
Edit this page on GitHub

Last updated on