Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: refactored rate-limit docs, added endpoint-based page and over… #1896

Merged
merged 15 commits into from
Oct 30, 2024
Merged

chore: refactored rate-limit docs, added endpoint-based page and over… #1896

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
0a706c4
chore: refactored rate-limit docs, added endpoint-based page and over…
tricky42 Sep 24, 2024
f63dd9f
chore: adjust sidebar
tricky42 Sep 24, 2024
3f6759f
chore: formatting
tricky42 Sep 24, 2024
c1eb240
Merge branch 'master' into abu/rate-limits
tricky42 Oct 7, 2024
0370a4b
chore: merge ratelimit pages
tricky42 Oct 7, 2024
7386ef5
chore: rework rate-limit doc
tricky42 Oct 18, 2024
904f0e0
chore: add workspaces page
tricky42 Oct 18, 2024
b66a3e2
chore: clean up
tricky42 Oct 18, 2024
3b754d4
chore: add two diagrams to visualize workspace/projects/envs relation
tricky42 Oct 30, 2024
f615e49
chore: update docusaurus
tricky42 Oct 30, 2024
d526ee8
Merge branch 'master' into abu/rate-limits
tricky42 Oct 30, 2024
579cbcb
chore: pin to concrete version
tricky42 Oct 30, 2024
6017903
chore: implement styleguide
vinckr Oct 30, 2024
fdd6a02
chore: implement styleguide
vinckr Oct 30, 2024
fc42d23
chore: implement styleguide
vinckr Oct 30, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Binary file added docs/guides/_static/workspaces/ory-workspaces-members.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
245 changes: 184 additions & 61 deletions docs/guides/rate-limits.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,74 +1,197 @@
---
id: rate-limits
title: Project Rate Limits
sidebar_label: Rate Limits
title: Understand Ory Network rate limiting
sidebar_label: Rate limits
---

Ory Network enforces different rate limit policies based on the environment of your project and the path of your request.

1. `/sessions/whoami`: session checks
2. `/admin/oauth2/introspect`: OAuth2 token introspection
3. `/relation-tuples/check`: permission check
4. `GET /admin/identities`: list identities
5. `*`: everything else

Each of these policies incorporates two types of rate limits:

1. The `burst` limit, which regulates the maximum number of requests per second, allowing brief spikes in request volume.
2. The `sustained` limit, controlling the number of requests over a one-minute period.

## Developer Plan Rate Limits

| Environment | Path / Bucket | burst (rps) | sustained (rpm) |
| :------------ | :------------------------- | ----------: | --------------: |
| **Developer** | `/sessions/whoami` | 10 | 300 |
| | `/admin/oauth2/introspect` | 10 | 300 |
| | `/relation-tuples/check` | 10 | 300 |
| | `GET /admin/identities` | 1 | 10 |
| | `*` | 5 | 150 |

## Production Plan Rate Limits

| Environment | Path / Bucket | burst (rps) | sustained (rpm) |
| :------------- | :------------------------- | ----------: | --------------: |
| **Production** | `/sessions/whoami` | 80 | 1800 |
| | `/admin/oauth2/introspect` | 80 | 1800 |
| | `/relation-tuples/check` | 80 | 1800 |
| | `GET /admin/identities` | 10 | 300 |
| | `*` | 40 | 900 |
| **Staging** | `/sessions/whoami` | 10 | 30 |
| | `/admin/oauth2/introspect` | 10 | 300 |
| | `/relation-tuples/check` | 10 | 300 |
| | `GET /admin/identities` | 1 | 10 |
| | `*` | 5 | 150 |

## Growth Plan Rate Limits

| Environment | Path / Bucket | burst (rps) | sustained (rpm) |
| :------------- | :------------------------- | ----------: | --------------: |
| **Production** | `/sessions/whoami` | 800 | 18000 |
| | `/admin/oauth2/introspect` | 800 | 18000 |
| | `/relation-tuples/check` | 800 | 18000 |
| | `GET /admin/identities` | 20 | 600 |
| | `*` | 400 | 9000 |
| **Staging** | `/sessions/whoami` | 10 | 30 |
| | `/admin/oauth2/introspect` | 10 | 300 |
| | `/relation-tuples/check` | 10 | 300 |
| | `GET /admin/identities` | 1 | 10 |
| | `*` | 5 | 150 |
This page provides a high level overview of the rate limiting mechanisms employed by Ory to ensure system security and
availability. Rate limiting is important to protect your applications against abuse and attacks, prevent service disruptions, and
ensure fair usage for all our customers.

## Types of rate limits

Ory implements two main rate limits:

1. Project rate limits in Workspaces: These limits are determined by your Ory subscription plan and project environment. They
define the maximum number of requests your projects can make to Ory's APIs within a given timeframe. This ensures fair resource
allocation across all Ory projects.
1. These limits are applied at the project level, meaning all requests from a specific project contribute to the rate limit
counter for that project.
2. Project rate limits are defined in terms of:
- Burst limit: This governs the maximum number of requests allowed per second for temporary spikes in traffic.
- Sustained limit: This sets the maximum request count over one minute, ensuring consistent and fair usage.
2. Endpoint based rate limits: These limits focus on safeguarding specific endpoints of your Ory projects against common attack
vectors like brute-force and credential stuffing attempts. They typically consider factors like source IP address and request
frequency to identify and mitigate malicious activity.
1. Endpoint-based rate limits act as a first line of defense for your project endpoints. These limits often use the source IP
address as a key criterion, allowing Ory to identify and block requests from suspicious or malicious sources.
2. By analyzing request patterns and incorporating factors like source IP, Ory can effectively differentiate between legitimate
user traffic and potentially harmful bot activity.

## Project rate limits in workspaces

With the introduction of Workspaces in Ory Network, rate limits are now applied to projects based on their assigned environment
and the Workspace's subscription plan. This approach ensures fair resource allocation and maintains the stability of the Ory
Network across different usage scenarios.

### How project rate limits work in workspaces

Rate limits for each project are determined by two main factors:

1. Workspace subscription: Your subscription plan (Developer, Production, Growth, or Enterprise) sets the baseline for your rate
limits.
2. Project environment: Within each Workspace, projects can be assigned to Production, Staging, or Development environments, each
with specific rate limit configurations.

For a detailed explanation of Workspaces and Environments, please refer to our
[Workspaces and Environments guide](/docs/guides/workspaces).

### Rate limit structure

Each rate limit policy includes two limits:

1. Burst limit: Maximum requests per second (rps), allowing for short traffic spikes.
2. Sustained limit: Maximum requests per minute (rpm), ensuring consistent performance over time.

### Determine your project's rate limits

To identify the rate limits that apply to your project:

1. Check your Workspace subscription plan (Developer, Production, Growth, or Enterprise).
2. Identify the environment (Production, Staging, or Development) assigned to your project.
3. Refer to the tables below based on your subscription plan and project environment.

### Rate limit tables by subscription plan

#### Developer plan rate limits

| Environment | Path / Bucket | Burst (rps) | Sustained (rpm) |
| :---------- | :------------------------- | ----------: | --------------: |
| Developer | `/sessions/whoami` | 10 | 300 |
| | `/admin/oauth2/introspect` | 10 | 300 |
| | `/relation-tuples/check` | 10 | 300 |
| | `GET /admin/identities` | 1 | 10 |
| | `*` | 5 | 150 |

:::note

For Developer plans, all environments (Production, Staging, Development) use the same rate limits.

:::

#### Production plan rate limits

| Environment | Path / Bucket | Burst (rps) | Sustained (rpm) |
| :-------------------- | :------------------------- | ----------: | --------------: |
| Production | `/sessions/whoami` | 80 | 1800 |
| | `/admin/oauth2/introspect` | 80 | 1800 |
| | `/relation-tuples/check` | 80 | 1800 |
| | `GET /admin/identities` | 10 | 300 |
| | `*` | 40 | 900 |
| Staging & Development | `/sessions/whoami` | 10 | 30 |
| | `/admin/oauth2/introspect` | 10 | 300 |
| | `/relation-tuples/check` | 10 | 300 |
| | `GET /admin/identities` | 1 | 10 |
| | `*` | 5 | 150 |

:::note

Production plan rate limits also apply to the Legacy `Essential` plan.

:::

#### Growth plan rate limits

| Environment | Path / Bucket | Burst (rps) | Sustained (rpm) |
| :-------------------- | :------------------------- | ----------: | --------------: |
| Production | `/sessions/whoami` | 800 | 18000 |
| | `/admin/oauth2/introspect` | 800 | 18000 |
| | `/relation-tuples/check` | 800 | 18000 |
| | `GET /admin/identities` | 20 | 600 |
| | `*` | 400 | 9000 |
| Staging & Development | `/sessions/whoami` | 10 | 30 |
| | `/admin/oauth2/introspect` | 10 | 300 |
| | `/relation-tuples/check` | 10 | 300 |
| | `GET /admin/identities` | 1 | 10 |
| | `*` | 5 | 150 |

:::note

Looking for **enterprise-grade** rate limits? Everything's possible. [Get in touch](https://www.ory.sh/contact/) with us to
discuss your requirements.
Growth plan rate limits also apply to the Legacy `Scale` plan.

:::

## Workspace Rate Limit
#### Enterprise plan rate limits

Looking for enterprise-grade rate limits? Everything's possible.
[Get in touch with us to discuss your requirements](https://ory.sh/contact).

## Endpoint based rate limits

Endpoint based rate limits are controls applied to individual API endpoints within your Ory projects. Unlike project rate limits,
which govern overall project request volumes, endpoint based rate limits focus on safeguarding specific functionalities against
abuse.

### How endpoint based rate limits work

These limits act as a first line of defense for your project endpoints. They analyze incoming request patterns and consider
factors such as:

- Source IP Address: Identifies and potentially blocks requests from suspicious sources or those exhibiting behavior indicative of
malicious activity.
- Request Frequency: Monitors how often requests are made to a specific endpoint to detect and thwart attempts to overwhelm the
system or exploit vulnerabilities.
- User Authentication: (If applicable) Considers whether requests are authenticated and may apply different limits for
authenticated vs. unauthenticated requests.
- Request Method: May apply different limits based on the HTTP method used (GET, POST, etc.).
- IP Whitelist Status: Applies higher limits to whitelisted IPs for Enterprise and Growth customers.

### Purpose endpoint based rate limits

Ory implements endpoint based rate limits to proactively secure individual endpoints and protect against common attack vectors
like brute-force and credential stuffing, while allowing for higher volumes of legitimate traffic from trusted sources. These
attacks typically involve numerous attempts to guess credentials or exploit vulnerabilities, often from a limited set of IP
addresses.

1. Enhanced security:

- Restricts the number of requests from specific sources within a given timeframe.
- Makes it significantly harder for attackers to succeed with brute-force or credential stuffing attacks.
- Strengthens the security of your Ory projects and protects sensitive user data.

2. Protection against malicious bots:

- Differentiates between genuine user traffic and potentially harmful bot activity.
- Analyzes request patterns to identify and block automated malicious activities.

3. Safeguarding specific endpoints:

- Offers granular control over how each endpoint handles traffic and responds to potential threats.
- Allows fine-tuning of security measures for individual endpoints.
- Optimizes protection without compromising the user experience.

4. Fair usage:

- Complements project rate limits in ensuring fair resource allocation.
- Contributes to a fairer and more stable platform for all users by mitigating abusive traffic.

5. Flexibility for high volume legitimate traffic:
- Provides options for Enterprise and Growth customers to whitelist internal IPs for higher rate limits.
- Balances security needs with the requirements of high-volume legitimate traffic.

### Notes on rate limit rules

#### Rule management

The endpoint based rate limit rules are set and managed by Ory. These rules are not directly configurable by Enterprise and Growth
customers yet.

For all projects in a workspace, the rate limit is the same as for the production environment. For example, on the Production
plan, the rate limit would be 80 rps on the `/sessions/whoami` path for all projects combined on the workspace.
#### IP Whitelisting for Enterprise and Growth plans

## Legacy plans
Enterprise and Growth plans can whitelist internal IPs. This feature is designed for cases where these IPs generate high volumes
of legitimate calls that might otherwise trigger rate-limit rules.

The legacy Essential and Scale plans have the same rate limits as Production and Growth respectively.
- Whitelisted IPs are subject to the same rule structure but with higher limits.
- To whitelist IPs, please create a support ticket with Ory: <ConsoleLink route="support" /> .
- This feature ensures that high volume traffic from trusted sources is not interrupted while maintaining strong security
measures.
Loading
Loading