Login.gov · Rate Limits
Login Gov Rate Limits
Login.gov does not publish a numeric per-RP rate-limit rate card on the public developer documentation. Rate limits, concurrency, and abuse protections are enforced by the IdP but are configured per relying party and discussed with the assigned account manager during onboarding. The IdP enforces user-facing rate limits on credential validation, identity-proofing attempts, and OTP delivery to prevent abuse.
Login Gov Rate Limits is the machine-readable rate-limit profile for Login.gov on the APIs.io network, conforming to the API Commons Rate Limits specification.
The profile also includes 4 backoff/retry policies defined.
Tagged areas include Government, Federal, GSA, Identity, and Authentication.
0 Limits
GovernmentFederalGSAIdentityAuthenticationSSOOIDCSAMLIAL2AAL2
Policies
Login.gov rate-limits failed password and OTP attempts per user account to protect against credential stuffing and brute force.
Repeated IAL2 identity-verification attempts on the same account or device are throttled to protect against document/selfie fraud.
Per-RP traffic limits and concurrency are configured per IAA and tuned with the account manager. Not publicly disclosed.
The OIDC discovery and JWKS endpoints are publicly cacheable; clients should cache and refresh per the `Cache-Control` header rather than polling.