Rate limits in App Users API vs Users Api


We have been getting rate limit warnings for our application (in staging environment, thankfully) that uses Okta for authentication. This is because we use the “Get Assigned User for App” request in /api/v1/apps/{id}/users/{id} endpoint for fetching the user profile. The endpoint in question has a rate limit of only 25 requests per second in our tier, while the rate limit for the /api/v1/users/ endpoint is much higher. However, the Users API is not suitable for our needs, because we need to fetch an application-specific custom attribute from the application user profile.

Why is the rate limit so much lower for the app users endpoint? Does anyone have workarounds for this? I understand that the Apps API in general is mostly used for application management, which explains the low limits, but fetching user profiles is done pretty frequently. Is it a bad practice to fetch the application user profile?

If you implemented SAML/OIDC SSO, then you can send this info in assertion/token. That would save you from requesting this information explicitly.

1 Like