Zitadel · Rate Limits

Zitadel Rate Limits

ZITADEL Cloud applies IP-oriented rate limits, with separate ceilings for the login / register / reset UI paths and for all other gRPC / REST / OAuth API endpoints. DDoS mitigation is layered on top, so simply rotating IPs to evade limits can lead to blocking. Self-hosted ZITADEL has no enforced ceiling.

2 Limits Throttle: 429

AuthenticationAuthorizationIdentity ManagementRate Limiting

Limits

UI paths (/ui/* — Login, Register, Reset) IP

requests_per_second · second

Steady-state limit; bursts up to 15 req/s tolerated (3-minute burst window).

gRPC / REST / OAuth APIs (all other paths) IP

requests_per_second · second

Steady-state and burst both 50 req/s.

Policies

IP-oriented limiting

Rate limits are bound to the source IP address; ZITADEL Cloud sits behind DDoS mitigation that may block IPs that try to evade limits by rotating.

429 + exponential backoff

When throttled the API returns HTTP 429; clients should implement exponential backoff with jitter rather than tight retry loops.

Shared-IP accommodation

Customers behind corporate proxies / NAT can request limit adjustments via [email protected].

Load testing requires advance notice

Load testing requires at least two weeks advance notice via [email protected]; unauthorized load testing risks DDoS flagging and service termination.

Sources

https://zitadel.com/docs/legal/policies/rate-limit-policy