Quotas and limits

The following auth operations have limitations on the frequency you can perform them. Contact Google Cloud a few weeks in advance to discuss special use cases.

Daily Instrumentless Usage Limits

The following limits are daily usage limits for users of Identity Platform without a billing instrument. These usage limits correspond directly to Google Cloud Pricing Tiers.

Usage Instrumentless Limit
Tier 1 Daily Active Users 3000 per day
Tier 2 Daily Active Users 2 per day
SMS Sent 10 per day
Multi Factor Authentications 10 per day

Account creation and deletion limits

Operation Limit
New account creation 100 accounts/hour for each IP address
Account deletion 10 accounts/second
Batch account deletion 1 request/second
Account configuration updates 10 requests/second

Account limits

Account type Limit
Anonymous user accounts 100 million
Registered user accounts Unlimited

Tenants per project

Billing model Limit
Instrumentless 2 tenants/project
Billing instrument Unlimited

Providers per project or tenant

There is no limit on the number of identity providers allowed per project or tenant.

Email sending limits

The quotas listed in this section scale with the number of users.

Operation Instrumentless With billing instrument
Address verification emails 1000 emails/day 100,000 emails/day
Address change emails 1000 emails/day 10,000 emails/day
Password reset emails 150 emails/day 10,000 emails/day
Email link sign-in emails 5 emails/day 25,000 emails/day

The quotas listed in this section scale with the number of users.

Operation Instrumentless With billing instrument
Address verification links 10,000 emails/day 1,000,000 emails/day
Password reset links 1500 emails/day 100,000 emails/day
Sign-in links 20,000 emails/day 250,000 emails/day

Phone number sign-in limits

Operation Limit
User sign-ins 1600/minute, as well as the pricing and limits specified on the Pricing page
Verification code SMS messages

Instrumentless: 10 sent SMS/day

Billing instrument: No SMS/day limit

Verification requests 150 requests/IP address/hour

Verification SMS sending limits

Operation Limit
Verification SMS sent. 1,000 sent/minute
Verification SMS sent per IP address 50 sent/minute, 500 sent/hour

Additionally, there is a limit on the number of verification SMS messages a project can send to a single phone number within a set amount of time. You can test with fictional numbers or across multiple devices to ensure a project does not exceed these limits.

Additionally, you can track verification codes sent per phone number if you've enabled Activity Logging on your project.

SMS MFA limits

Operation Limit
Start MFA enrollment per project and IP address 50 requests/minute, 500 requests/hour
Finalize MFA enrollment per project and IP address 150 requests/hour
Start MFA sign-in per project and IP address 50 requests/minute, 500 requests/hour
Finalize MFA sign-in per project and IP address 150 requests/hour
SMS verification codes sent per phone number 10 sent/hour

Identity Toolkit API limits

Operation Limit
Operations per service account 500 requests/second
Operations per project 1000 requests/second, 10 million requests/day
Account uploads per project* 3600 uploads/minute
Account downloads per project* 21,000 requests/minute
UserInfo queries per project* 900 requests/minute
Configuration updates per project* 300 requests/minute
Configuration updates per project and user* 300 requests/minute
Bulk delete accounts per project* 3000 requests/minute
Custom token sign-ins per project 45,000 sign-ins/minute
createAuthURI calls per IP address 120 requests/hour
Blocking function invocations per project 2000 requests/minute
GetAccountInfo per project* 500,000 requests/minute

* Admin-only operations.

The fetchProvidersForEmail() and fetchSignInMethodsForEmail(email) methods leverage the createAuthURI endpoint.

Token Service API limits

Operation Limit
Token exchange per project 18,000 exchanges/minute