Corbado · Rate Limits

Corbado Rate Limits

Corbado does not publish explicit numeric rate limits for the Backend API. As a multi-tenant authentication platform, requests are scoped per project and authenticated with HTTP Basic auth (project ID + API secret); abusive or excessive traffic is throttled and clients should expect HTTP 429 responses under load. Plan and usage are primarily metered by monthly active users (MAU) rather than raw request rate. Specific per-endpoint limits are not reconciled in this artifact.

Corbado Rate Limits is the machine-readable rate-limit profile for Corbado on the APIs.io network, conforming to the API Commons Rate Limits specification.

It captures 3 rate-limit definitions, measuring requests and monthly_active_users.

The profile also includes 2 backoff/retry policies defined and response codes documented for throttled.

Tagged areas include Authentication, Passkeys, WebAuthn, Passwordless, and CIAM.

3 Limits Throttle: 429
AuthenticationPasskeysWebAuthnPasswordlessCIAMIdentityRate LimitingQuotasThrottling

Limits

Backend API Requests project
requests
see provider documentation
Per-project request throttling; explicit numeric ceiling not published.
Passkey Ceremonies project
requests
see provider documentation
Append/login start and finish ceremonies; throttled to mitigate abuse.
Monthly Active Users (MAU) project
monthly_active_users
plan-dependent
Primary metering dimension; tied to plan allotment, not a request rate.

Policies

Per-Project Scoping
Limits and usage are scoped to a project identified by the project ID used in Basic auth.
Backoff Strategy
Clients should implement exponential backoff with jitter and honor Retry-After on HTTP 429.

Sources