Articles on: Security

Rate limits and Quotas on API Requests

This document describes the limits and quotas of requesting the REST API of deployed Keycloak clusters.

Cloud-IAM is used by millions of users all over the world. We put limits and quotas on Keycloak API to protect the system from receiving more data than it can handle, and to ensure an equitable distribution of the system resources. The limits and quotas are subject to change.

General quota limits

The following quotas apply to Keycloak API:

50 queries per second per IP address on the OpenID APIs endpoints
30 queries per second per IP address on the Keycloak REST Admin endpoints

Can the current limits be increased and if so, does it impact the subscription cost?

Please contact our support team if you have special needs.

Exceeding quota limits

If the quota of requesting Keycloak API is exceeded, the API returns an error code 429 and a message that the account has exceeded the quota.
When the threshold is met, the client will be blocked for 1 second.

Can we track our requests/sec usage quota and if so, how?

Currently that's not possible.

Updated on: 23/06/2022

Was this article helpful?

Share your feedback


Thank you!