Spring Security · Rate Limits
Spring Security Rate Limits
Spring Security is a self-hosted authentication and authorization framework — there is no vendor-hosted API and therefore no vendor-imposed throughput limits. Spring Authorization Server (a Spring Security sub-project) ships token endpoints whose throughput is bounded only by the operator's deployment. Throttling is added by the surrounding gateway, Resilience4j, or a custom filter.
1 Limits
Throttle: 429
AuthenticationAuthorizationJavaOAuth2Spring FrameworkRate Limiting
Limits
Operator-Defined deployment
see operator deployment configuration
Spring Security and Spring Authorization Server emit no built-in throttling. Effective limits depend on the gateway, ingress, or filter chain in front of the OAuth2 endpoints.
Policies
Self-Hosted Throttling
Operators commonly add a Servlet or WebFlux filter (often Resilience4j-backed) that emits 429 with Retry-After when the token endpoint is hammered. Spring Security itself does not enforce a request rate.
Lockout vs Throttle
Spring Security distinguishes account-lockout policy (UserDetailsService / failed-login counter) from request-rate throttling. Lockout is per-principal; throttling is per-IP or per-key and lives in the surrounding stack.