auth icon indicating copy to clipboard operation
auth copied to clipboard
verified publisher icon supabase

Auth rate limit for sign-ups and sign-ins is not enforced despite configuration

Open Sockitos opened this issue 2 days ago • 0 comments

Bug report

  • [x] I confirm this is a bug with Supabase, not with my own application.
  • [x] I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

The “Rate limit for sign-ups and sign-ins” setting configured via the Supabase Dashboard or config.toml does not appear to be enforced.

Even when setting a very low limit (e.g. 5 requests per 5 minutes per IP), the Auth API allows significantly more sign-up/sign-in requests from the same IP before returning a rate limit error.

Eventually, requests are blocked, but only after approximately 30–50 requests, seemingly due to a different, more general rate limit.

To Reproduce

  1. Create a brand new Supabase project.

  2. Go to Dashboard → Authentication → Configuration → Rate limits.

  3. Set Rate limit for sign-ups and sign-ins to 5.

    Alternatively, configure it in config.toml:

    # Number of sign up and sign-in requests that can be made in a 5 minute interval per IP address (excludes anonymous users).
sign_in_sign_ups = 5

  4. Use a simple script (e.g. Python) to repeatedly call the sign-up endpoint from the same IP address.

  5. Observe that far more than 5 requests are accepted before any rate limit is triggered.

Eventually, requests fail with the following response:

{
  "code": 429,
  "error_code": "over_request_rate_limit",
  "msg": "Request rate limit reached"
}

This error only occurs after ~30–50 requests, not after the configured limit of 5.

Expected behavior

Once the configured limit (e.g. 5 requests per 5 minutes per IP) is reached, further sign-up/sign-in requests from the same IP should immediately be rejected with a rate limit error.

Screenshots

N/A — the issue is reproducible without screenshots.

System information

  • OS: macOS
  • Browser: N/A
  • Version of supabase-js: N/A
  • Version of Node.js: N/A

Additional context

While investigating this issue, I noticed that this setting was previously mislabeled and actually updated rate_limit_otp. This appears to have been addressed in the following commit:

https://github.com/supabase/auth/commit/64ae65930be6ac3cac1709c4ed880629b5c09e36#diff-6164e6a3032e7fde89da82e26f3eeed2cd887f44abf42a2c25218cc5bf166e8e

However, even when using a project running the latest Supabase Auth version, the sign-up/sign-in rate limit is still not enforced as configured.

This suggests that either:

  • the setting is still not wired correctly, or
  • another rate limit is taking precedence while this one is effectively ignored.

Sockitos avatar Jan 16 '26 15:01 Sockitos