Rate Limits

Last modified on April 2, 2024

Current Rate Limits

StrongDM uses rate limits to mitigate traffic caused by misconfiguration or malicious actors. These limits are designed to be generous enough not to be an obstacle for normal use. Rate limits for the StrongDM service are:

  • Individual users (including API keys and admin tokens) can make up to 5,000 read requests and 500 write requests per minute.
  • The sum of all actions taken within an organization can be up to 150,000 read requests and 15,000 write requests per minute.

Measurement and Enforcement of Limits

Every API request, whether initiated directly with SDKs or through the use of StrongDM applications (such as the Admin UI), counts against the defined rate limits for any given user or organization. When a request comes in and the rate limit (for either the individual user or for the organization as a whole) has been hit, the request fails. The permitted amount of remaining available calls per minute dynamically refills.

How to Expose Rate Limits

When a call from a StrongDM SDK or the Terraform provider hits a rate limit, the SDK or Terraform provider pauses and then retries the request. The SDKs (and the Terraform provider) offer a way to turn this off and instead expose an error when a rate limit is hit.

For Go, you can use the WithRateLimitRetries option when creating a client:

client, err := sdm.New("token", "secret", sdm.WithRateLimitRetries(false))

For Java, you can provide a ClientOptions object:

new Client("token", "secret", new ClientOptions().withRateLimitRetries(false))

Python and Ruby both support the setting via a named parameter.


sdm.Client("token", "secret", retry_rate_limit_errors = false)


SDM::Client.new("token", "secret", retry_rate_limit_errors: false)

For Terraform, you can set the environment variable SDM_RETRY_RATE_LIMITS to false.