Rate limits
Clerk rate limits certain endpoints to help protect users against brute-force attacks or to stop abuse of Clerk's platform.
Rate limiting is based on IP addresses.
Errors
If you receive a 429 error code, your IP address has been rate limited. All subsequent requests to that specific endpoint coming from your IP address will be blocked for a given amount of time.
Requests that have been rate limited will receive the Retry-After response header, which contains the number of seconds after which the block expires.
Frontend API requests
Frontend API requests are rate limited per user.
| Name | Type | Description |
|---|---|---|
| Create SignIn | /v1/sign_ins | 7 requests per 10 seconds |
| Create SignUp | /v1/sign_ups | 7 requests per 10 seconds |
| Attempt SignIn | /v1/sign_ins/attempt_(first|second)_factor | 3 requests per 10 seconds |
| Attempt SignUp | /v1/sign_ups/attempt_verification | 3 requests per 10 seconds |
Backend API requests
Backend API requests are rate limited per application instance.
| Name | Type | Description |
|---|---|---|
| Create users | POST /v1/users | 20 requests per 10 seconds |
| All other endpoints | 100 requests per 10 seconds | |
| Get the JWKS of the instance | GET /v1/jwks | No rate limit |
The currentUser() helper uses the GET /v1/users/me endpoint, so it is subject to the 100 requests per 10 seconds rate limit.
Last updated on April 3, 2024