OAuth token limits

When a client wants to generate OAuth tokens (i.e, access tokens and refresh tokens ), we've applied some limits regarding how many tokens can be stored and how many requests can be sent at a time.

These limits are applied for the following reasons:

  • To make it easier for clients to store and maintain the OAuth tokens.
  • To make sure that a malicious client doesn't take up the resources which would otherwise be used for genuine clients.
  • To avoid over-working of our app servers by handling multiple unnecessary requests.

The limits differ for access token, refresh token, and authorization code.

Limits for access token

For access tokens, two types of limits are applied:

1. Max tokens per refresh token

At a time, a maximum of 15 active access tokens can be stored by a client per refresh token. After the count reaches 15, when the client requests for an additional token, a new token will be provided and the oldest token will be invalidated, making sure only 15 tokens remain at a time. When an invalid access token is used, "INVALID_OAUTHTOKEN" exception will be thrown.

2. Time-specific throttle limit

We’ve also applied a throttle limit for the number of times an app can request for an access token within a specific time period. A total of 10 access token requests can be made within 10 minutes.

If the throttle limit is reached, the following exception will be thrown:

JSON response

{
"error_description": "Token creation throttle limit reached. Please reuse the valid tokens you currently have.",
"error": "Access Denied"
}

Roadblock error page

Access Denied: Maximum request limit reached for your account. Please try again after some time or contact the app's developer.

To avoid this exception, reuse your access tokens until it expires, instead of using different tokens for each request.

Limit for refresh token

At a time, a maximum of 20 active refresh tokens can be stored by a client per user (i.e, 20 refresh tokens for each user). After the count reaches 20 for a user, when the client requests for an additional token, a new token will be provided and the oldest token will be invalidated, making sure only 20 tokens remain at a time.

Limit for authorization code

Within 10 minutes, a client can generate a maximum of 10 authorization codes per user. If the limit is reached, "access_denied" exception will be thrown for the remaining time. Also, the validity of each authorization code is two minutes.

Limit for device token

For non-browser clients, a throttle limit will be applied based on the IP address where the requests are coming from. From a specific IP address, a maximum of 30 device tokens can be requested and generated by a client within 10 minutes. If the limit is reached, “access_denied” exception will be thrown for the remaining time. Also, the validity of each device token is five minutes.