Skip to main content
Docs

Rate limits

Clerk rate limits certain endpoints to help protect users against brute-force attacks or to stop abuse of Clerk's platform.

Errors

If you receive a 429 error code, you have been rate limited. All subsequent requests to that specific endpoint will be blocked for a given amount of time.

Requests that have been rate limited will receive the Retry-After response header, which contains the number of seconds after which the block expires.

Frontend API requests

Frontend API requests are rate-limited per user and identified by their IP address.

  • Name
    Create SignIn
    Type
    /v1/sign_ins
    Description

    5 requests per 10 seconds

  • Name
    Create SignUp
    Type
    /v1/sign_ups
    Description

    5 requests per 10 seconds

  • Name
    Attempt SignIn
    Type
    /v1/sign_ins/attempt_(first|second)_factor
    Description

    3 requests per 10 seconds

  • Name
    Attempt SignUp
    Type
    /v1/sign_ups/attempt_verification
    Description

    3 requests per 10 seconds

Backend API requests

Backend API requests are rate-limited per application instance which is identified by the Secret Key that is provided when making Backend API requests. These limits differ based on whether you're using a development or production instance.

  • Name
    Production instances
    Description

    1000 requests per 10 seconds

  • Name
    Development instances
    Description

    100 requests per 10 seconds

  • Name
    Get the JWKS of the instance
    Type
    GET /v1/jwks
    Description

    No rate limit

Note

The currentUser() helper uses the GET /v1/users/me endpoint, so it is subject to the respective rate limits.

Feedback

What did you think of this content?

Last updated on