How to enforce Client-Based Rate Limiting for OAuth Service Clients (Client Credentials Grant) in Okta?

Okta provides the capability to activate per-client rate limiting, which helps safeguard against a single client causing congestion on Okta’s /login/login.htm and OAuth 2.0 /authorize endpoints. You can find more information on this feature at Configure client-based rate limiting.


Now, we have a specific requirement related to OAuth Service Clients (Client Credentials Grant) . We need to implement rate limits for the access tokens they request. These OAuth service clients exclusively utilize the /token endpoint. What steps can we take to enforce client-based rate limiting for OAuth service clients employing the client credentials grant?

Hi Sami,

I don’t believe there is a way to setup Client-Based RL for the /token endpoint, its RL would fall under,

For the Resource Owner Password Grant type the /token endpoint is limited to 4 per second.
This might be a good enhancement Request at to see if something similar could be done for the Client Credentials flow.

thank you,


Thanks @erik for your quick response.

I have submitted this feature request:

This issue is ongoing for our OAuth service clients (client credentials grant). We have tried several workarounds but it will be easier if Okta provides a way to limit access token requests.
If possible prioritize this feature request.

1 Like