HashiCorp Vault · Rate Limits
Hvault Rate Limits
HashiCorp Vault does not enforce a default account-wide rate limit. Operators configure Resource Quotas (rate-limit quotas) using a token-bucket algorithm scoped per-node and per-unique-client-IP. Quotas can be applied at global, namespace, mount, path, or auth-role level with most-specific rule winning. Vault Enterprise additionally supports identity-based rate limits and lease-count quotas. Operational maximums (request size, lease count, namespace count) are documented as advisory ceilings rather than throttled limits.
5 Limits
Rate LimitingSecrets ManagementSecurity
Limits
Resource Quota (rate-limit) - token bucket node + client_ip
operator-configured (no default)
Enforced per Vault server node, not cluster-wide. Set via /sys/quotas/rate-limit endpoint.
Lease Count Quota (Enterprise) namespace or mount
operator-configured
Enterprise-only. Caps the total active leases per namespace/mount.
Maximum request size cluster
33554432
32 MiB default; configurable via max_request_size listener parameter.
Maximum request duration cluster
90
90 seconds default; configurable via max_request_duration.
Advisory lease ceiling cluster
256000
Advisory operational ceiling; performance degrades beyond this. Use lease quotas to enforce.
Policies
Token-bucket Algorithm
Rate-limit quotas use token-bucket replenishment. The optional block_interval parameter can suspend a client for a configurable window after exceeding the bucket.
Quota Precedence
Most specific quota wins, in order - role > path > mount > namespace > global root.
Per-Node Enforcement
Quotas are enforced per Vault server node, not replicated cluster-wide. Behind a load balancer, a 100 RPS quota across a 5-node cluster effectively allows ~500 RPS aggregate.
System Path Exemption
Health and unseal paths (sys/health, sys/unseal, sys/seal-status) are exempt from quotas by default. Configurable via the rate_limit_exempt_paths setting.
Backoff Strategy
Clients should retry with exponential backoff and jitter when receiving a 429-style response. Vault returns HTTP 429 for rate-limited requests with optional Retry-After header when block_interval is configured.
Identity-Based Rate Limiting (Enterprise)
Vault Enterprise can apply rate limits keyed on identity entity rather than client IP, useful when many clients share an egress IP.