HashiCorp Vault · Rate Limits

Hvault Rate Limits

HashiCorp Vault does not enforce a default account-wide rate limit. Operators configure Resource Quotas (rate-limit quotas) using a token-bucket algorithm scoped per-node and per-unique-client-IP. Quotas can be applied at global, namespace, mount, path, or auth-role level with most-specific rule winning. Vault Enterprise additionally supports identity-based rate limits and lease-count quotas. Operational maximums (request size, lease count, namespace count) are documented as advisory ceilings rather than throttled limits.

Hvault Rate Limits is the machine-readable rate-limit profile for HashiCorp Vault on the APIs.io network, conforming to the API Commons Rate Limits specification.

It captures 5 rate-limit definitions, measuring requests_per_second, active_leases, bytes_per_request, and seconds_per_request.

The profile also includes 6 backoff/retry policies defined.

Tagged areas include Rate Limiting, Secrets Management, and Security.

5 Limits
Rate LimitingSecrets ManagementSecurity

Limits

Resource Quota (rate-limit) - token bucket node + client_ip
requests_per_second
operator-configured (no default)
Enforced per Vault server node, not cluster-wide. Set via /sys/quotas/rate-limit endpoint.
Lease Count Quota (Enterprise) namespace or mount
active_leases
operator-configured
Enterprise-only. Caps the total active leases per namespace/mount.
Maximum request size cluster
bytes_per_request
33554432
32 MiB default; configurable via max_request_size listener parameter.
Maximum request duration cluster
seconds_per_request · second
90
90 seconds default; configurable via max_request_duration.
Advisory lease ceiling cluster
active_leases
256000
Advisory operational ceiling; performance degrades beyond this. Use lease quotas to enforce.

Policies

Token-bucket Algorithm
Rate-limit quotas use token-bucket replenishment. The optional block_interval parameter can suspend a client for a configurable window after exceeding the bucket.
Quota Precedence
Most specific quota wins, in order - role > path > mount > namespace > global root.
Per-Node Enforcement
Quotas are enforced per Vault server node, not replicated cluster-wide. Behind a load balancer, a 100 RPS quota across a 5-node cluster effectively allows ~500 RPS aggregate.
System Path Exemption
Health and unseal paths (sys/health, sys/unseal, sys/seal-status) are exempt from quotas by default. Configurable via the rate_limit_exempt_paths setting.
Backoff Strategy
Clients should retry with exponential backoff and jitter when receiving a 429-style response. Vault returns HTTP 429 for rate-limited requests with optional Retry-After header when block_interval is configured.
Identity-Based Rate Limiting (Enterprise)
Vault Enterprise can apply rate limits keyed on identity entity rather than client IP, useful when many clients share an egress IP.

Sources