Ory · Rate Limits

Ory Rate Limits

Ory Network enforces per-project rate limits scaled by subscription plan and environment type (production vs dev/staging). Each policy combines a burst limit (requests per second) and a sustained limit (requests per minute). Limits documented here apply specifically to the /sessions/whoami endpoint as published; many other endpoints have their own service-specific quotas. Endpoints return HTTP 429 when limits are exceeded.

8 Limits Throttle: 429 Quota: 429
Rate LimitingIdentityOAuth2OpenID ConnectCIAM

Limits

Developer plan (all environments) - /sessions/whoami project/environment
requests_per_second · second
10
Sustained limit 300 rpm. Applies to Developer (free) plan in all environments.
Production plan - production environment - /sessions/whoami project/environment
requests_per_second · second
80
Sustained 1800 rpm in production environment.
Production plan - dev/staging - /sessions/whoami project/environment
requests_per_second · second
10
Sustained 300 rpm. Dev/staging environments retain Developer-tier limits.
Growth plan - production environment - /sessions/whoami project/environment
requests_per_second · second
800
Sustained 18000 rpm in production environment.
Growth plan - dev/staging - /sessions/whoami project/environment
requests_per_second · second
10
Sustained 300 rpm.
Enterprise plan - production environment - /sessions/whoami project/environment
requests_per_second · second
1200
Sustained 36000 rpm in production environment.
Enterprise plan - dev/staging - /sessions/whoami project/environment
requests_per_second · second
10
Sustained 300 rpm.
Other endpoints project/environment
varies
see service-specific rate limits in the Ory rate-limits guide
Identity, session, OAuth2, and permission endpoints have their own per-endpoint burst/sustained policies tied to the same plan tiers.

Policies

Burst vs Sustained
Each policy defines a burst (requests per second) and sustained (requests per minute) limit. Both must be respected.
Inflight Protection
Write operations on identity and session endpoints have additional inflight protection that returns HTTP 429 when concurrency exceeds the policy limit.
Backoff
Clients receiving 429 responses should pause and retry with exponential backoff and jitter; specific Retry-After semantics are not documented.
Plan Scoping
Limits scale by both plan tier and environment type. Dev and staging environments retain Developer-tier ceilings even on paid plans.

Sources