Rate Limit Policy
Last updated on April 20, 2023
This policy is an annex to the Terms of Service and clarifies your obligations while using our Services, specifically how we will use rate limiting to enforce certain aspects of our Acceptable Use Policy.
Why do we rate limit​
To ensure the availability of our Services and to avoid slow or failed requests by our Customers, due to overloads, we impose rate limits on certain API. These limits helps us guarantee the performance and availability of ZITADEL Cloud.
How is the rate limit implemented​
ZITADEL Clouds rate limit is built around a IP oriented model.
Please be aware that we also utilize a service for DDoS mitigation.
So if you simply change your IP address and run the same request again and again you might be get blocked at some point.
If you are blocked you will receive a http status 429.
You should consider to implement exponential backoff into your application to prevent a blocking loop.
We understand that there are certain scenarios where your users access ZITADEL from shared IP Addresses. For example if you use a corporate proxy or Network Address Translation NAT. Please get in touch with us to discuss your requirements and we'll find a solution.
What rate limits do apply​
For ZITADEL Cloud, we have a rate limiting rule for login paths (login, register and reset features) and for API paths each.
Rate limits are implemented with the following rules:
| Path | Description | Rate Limiting | One Minute Banning |
|---|---|---|---|
| /ui/login* | Global Login, Register and Reset Limit | 10 requests per second over a minute | 15 requests per second over 3 minutes |
| All other paths | All gRPC- and REST APIs as well as the ZITADEL Customer Portal | 10 requests per second over a minute | 10 requests per second over 3 minutes |
Load Testing​
If you would like to conduct load testing of ZITADEL Cloud or a managed instance, you MUST request to do so with a minimum of 2 weeks notice before the test by contacting us at support@zitadel.com. You MUST NOT conduct load testing without prior approval by us. Without prior approval and setup there is a high risk of being flagged by our DDoS solution as malicious traffic. This can have a severe impact on your service quality or result in termination of your agreement.