API Rate Limits

Understand the rate limiting for APIs for different identity domain types.

Oracle APIs are subject to rate limiting to protect the API service usage for all Oracle's customers. If you reach the API limit for the identity domain type, then IAM returns a 429 error code.

Rate Limits for all Identity Domain Types

API Group Per Free Oracle Apps Oracle Apps Premium Premium External User
AuthN second 10 50 80 95 90
AuthN minute 150 1000 2100 4500 3100
Token Mgmt second 10 40 50 65 60
Token Mgmt minute 150 1000 1700 3400 2300
Others second 20 50 55 90 80
Others minute 150 1500 1750 5000 4000
Bulk second 5 5 5 5 5
Bulk minute 200 200 200 200 200
Import and export day 4 8 10 10 10

APIs in API Groups

API limits apply to the total of all APIs within a group.

Authentication
  • /sso/v1/user/login
  • /sso/v1/user/secure/login
  • /sso/v1/user/logout
  • /sso/v1/sdk/authenticate
  • /sso/v1/sdk/session
  • /sso/v1/sdk/idp
  • /sso/v1/sdk/secure/session
  • /mfa/v1/requests
  • /mfa/v1/users/{userguid}/factors
  • /oauth2/v1/authorize
  • /oauth2/v1/userlogout
  • /oauth2/v1/consent
  • /fed/v1/user/request/login
  • /fed/v1/sp/sso
  • /fed/v1/idp/sso
  • /fed/v1/idp/usernametoken
  • /fed/v1/metadata
  • /fed/v1/mex
  • /fed/v1/sp/slo
  • /fed/v1/sp/initiatesso
  • /fed/v1/sp/ssomtls
  • /fed/v1/idp/slo
  • /fed/v1/idp/initiatesso
  • /fed/v1/idp/wsfed
  • /fed/v1/idp/wsfedsignoutreturn
  • /fed/v1/user/response/login
  • /fed/v1/user/request/logout
  • /fed/v1/user/response/logout
  • /fed/v1/user/testspstart
  • /fed/v1/user/testspresult
  • /admin/v1/SigningCert/jwk
  • /admin/v1/HTTPAuthenticator
  • /admin/v1/PasswordAuthenticator
  • /admin/v1/Asserter
  • /admin/v1/MyAuthenticationFactorInitiator
  • /admin/v1/MyAuthenticationFactorEnroller
  • /admin/v1/MyAuthenticationFactorValidator
  • /admin/v1/MyAuthenticationFactorsRemover
  • /admin/v1/TermsOfUseConsent
  • /admin/v1/MyTermsOfUseConsent
  • /admin/v1/TrustedUserAgents
  • /admin/v1/AuthenticationFactorInitiator
  • /admin/v1/AuthenticationFactorEnroller
  • /admin/v1/AuthenticationFactorValidator
  • /admin/v1/MePasswordResetter
  • /admin/v1/UserPasswordChanger
  • /admin/v1/UserLockedStateChanger
  • /admin/v1/AuthenticationFactorsRemover
  • /admin/v1/BypassCodes
  • /admin/v1/MyBypassCodes
  • /admin/v1/MyTrustedUserAgents
  • /admin/v1/Devices
  • /admin/v1/MyDevices
  • /admin/v1/TermsOfUses
  • /admin/v1/TermsOfUseStatements
  • /admin/v1/AuthenticationFactorSettings
  • /admin/v1/SsoSettings
  • /admin/v1/AdaptiveAccessSettings
  • /admin/v1/RiskProviderProfiles
  • /admin/v1/Threats
  • /admin/v1/UserDevices
  • /session/v1/SessionsLogoutValidator
  • /ui/v1/signin
Tokens
  • /oauth2/v1/token
  • /oauth2/v1/introspect
  • /oauth2/v1/revoke
  • /oauth2/v1/device
Import/Export
  • /job/v1/JobSchedules?jobType=UserImport
  • /job/v1/JobSchedules?jobType=UserExport
  • /job/v1/JobSchedules?jobType=GroupImport
  • /job/v1/JobSchedules?jobType=GroupExport
  • /job/v1/JobSchedules?jobType=AppRoleImport
  • /job/v1/JobSchedules?jobType=AppRoleExport
Bulk
  • /admin/v1/Bulk
  • /admin/v1/BulkUserPasswordChanger
  • /admin/v1/BulkUserPasswordResetter
  • /admin/v1/BulkSourceEvents
Other

Any API not in one of the other API Groups is included in the Other API Group

Other Restrictions

These restrictions are for Bulk, Import, and Export for all tiers:

  • Payload size: 1 MB
  • Bulk API: 50 operations limit per call
  • Only one of these can be run at a time:
    • Import: For Users, Groups & App Role Memberships
    • Full sync from apps
    • Bulk APIs
    • Export: For Users, Groups & App Role Memberships
  • CSV Import: 100 K rows limit per CSV & Max file size: 10 MB
  • CSV Export: 100 K rows limit