Quotas and limits
The following auth operations have limitations on the frequency you can perform them. Contact Google Cloud a few weeks in advance to discuss special use cases.
Daily Instrumentless Usage Limits
The following limits are daily usage limits for users of Identity Platform without a billing instrument. These usage limits correspond directly to Google Cloud Pricing Tiers.
| Usage | Instrumentless Limit |
|---|---|
| Tier 1 Daily Active Users | 3000 per day |
| Tier 2 Daily Active Users | 2 per day |
Account creation and deletion limits
| Operation | Limit |
|---|---|
| New account creation | 100 accounts/hour for each IP address |
| Account deletion | 10 accounts/second |
| Batch account deletion | 1 request/second |
| Account configuration updates | 10 requests/second |
Account limits
| Account type | Limit |
|---|---|
| Anonymous user accounts | 100 million |
| Registered user accounts | Unlimited |
Tenants per project
| Billing model | Limit |
|---|---|
| Instrumentless | 2 tenants/project |
| Billing instrument | Unlimited |
Providers per project or tenant
There is no limit on the number of identity providers allowed per project or tenant.
Email sending limits
The quotas listed in this section scale with the number of users.
| Operation | Instrumentless | With billing instrument |
|---|---|---|
| Address verification emails | 1000 emails/day | 100,000 emails/day |
| Address change emails | 1000 emails/day | 10,000 emails/day |
| Password reset emails | 150 emails/day | 10,000 emails/day |
| Email link sign-in emails | 5 emails/day | 25,000 emails/day |
Email link generation limits
The quotas listed in this section scale with the number of users.
| Operation | Instrumentless | With billing instrument |
|---|---|---|
| Address verification links | 10,000 emails/day | 1,000,000 emails/day |
| Password reset links | 1500 emails/day | 100,000 emails/day |
| Sign-in links | 20,000 emails/day | 250,000 emails/day |
Phone number sign-in limits
| Operation | Limit |
|---|---|
| User sign-ins | 1600/minute, as well as the pricing and limits specified on the Pricing page |
| Verification code SMS messages |
Instrumentless: 10 sent SMS/day Billing instrument: No SMS/day limit |
| Verification requests | 150 requests/IP address/hour |
Verification SMS sending limits
| Operation | Limit |
|---|---|
| Verification SMS sent. | 1,000 sent/minute |
| Verification SMS sent per IP address | 50 sent/minute, 500 sent/hour |
Additionally, there is a limit on the number of verification SMS messages a project can send to a single phone number within a set amount of time. You can test with fictional numbers or across multiple devices to ensure a project does not exceed these limits.
Additionally, you can track verification codes sent per phone number if you've enabled Activity Logging on your project.
SMS MFA limits
| Operation | Limit |
|---|---|
| Start MFA enrollment per project and IP address | 50 requests/minute, 500 requests/hour |
| Finalize MFA enrollment per project and IP address | 150 requests/hour |
| Start MFA sign-in per project and IP address | 50 requests/minute, 500 requests/hour |
| Finalize MFA sign-in per project and IP address | 150 requests/hour |
| SMS verification codes sent per phone number | 10 sent/hour |
Identity Toolkit API limits
| Operation | Limit |
|---|---|
| Operations per service account | 500 requests/second |
| Operations per project | 1000 requests/second, 10 million requests/day |
| Account uploads per project* | 3600 uploads/minute |
| Account downloads per project* | 21,000 requests/minute |
| UserInfo queries per project* | 900 requests/minute |
| Configuration updates per project* | 300 requests/minute |
| Configuration updates per project and user* | 300 requests/minute |
| Bulk delete accounts per project* | 3000 requests/minute |
| Custom token sign-ins per project | 45,000 sign-ins/minute |
createAuthURI calls per IP address |
120 requests/hour |
| Blocking function invocations per project | 2000 requests/minute |
GetAccountInfo per project* |
500,000 requests/minute |
* Admin-only operations.
The fetchProvidersForEmail() and fetchSignInMethodsForEmail(email) methods leverage the createAuthURI endpoint.
Token Service API limits
| Operation | Limit |
|---|---|
| Token exchange per project | 18,000 exchanges/minute |