Context: We use the signin widget in a react SPA, although we observe the same issue when using the okta hosted login page.
We noticed that the rate limit in place when calling the /authn endpoint to initiate login was set to 500. After checking the documentation (Client-based rate limits | Okta Developer), we checked our organization’s settings and noticed the “Enforce and log per client (recommended)” option wasn’t used, so we switched to it. This should enforce a rate limit of 60 requests per minute.
However, even after switching to it, we didn’t notice any changes in rate limit in the headers (it is still at 500). Does anyone have a clue why the rate limit isn’t being enforced?