Rate limiting

Rate limiting controls the number of incoming and outgoing requests to or from a network. For example, let’s imagine you are using a particular service’s API that is configured to allow 100 requests/minute. If the number of requests you make exceeds that limit, an error is triggered.

ReachFive APIs employ safeguards against bursts of incoming traffic for each tenant to help maximize its stability. The Rate Limiter setting in the ReachFive Console allows you to change the maximum number of calls from the same IP within a defined timeframe.

When an IP reaches the limit, the server responds with 429 Too Many Requests.

Rate limiting endpoints

By default, all endpoints below allow 20 requests every 60 seconds from the same IP.

Each endpoint specifies whether you can configure the maximum number of attempts and sliding window duration.
Operation Endpoint Configurable

Retrieve access token


Revoke refresh token


Login with password


Sign up new user


Sign up new user and return token


Request password reset


Update password


Update phone number


Verify phone number


Update email


Verify email


Start passwordless flow


Verify passwordless


Verify SMS auth code


Configure rate limits

Some ReachFive API endpoints have configurable rate limits. You can configure these from your ReachFive Console.


  • You must have access to the ReachFive Console.

  • You must have a Developer, Manager, or Administrator role.


  1. Go to Settings  Security  Rate limiter.

  2. Go to your desired configurable endpoint.

  3. Set the Maximum number of attempts by entering in the value or using the up and down arrows.

  4. Set the Sliding window duration by entering in the value or using the up and down arrows.

    This is specified in seconds.

Bypass rate limit configuration

If you want, you can add IP addresses to a whitelist under Global settings. The IP addresses listed here are not subject to any rate limit from any ReachFive endpoint. List URLs one per line as shown below:

whitelist urls

IPv4 addresses

We support both standard IPv4 address format as well as IPv4 address ranges.

The syntax supports ranges of IPv4, as you can see in the following examples:

  • Using /z, the CIDR notation, you can define a range of usable addresses throughout the 4 octets: will accept addresses from to

  • Using *.*, called asterisk octet, you can wildcard a whole octet of addresses: 10.0.0.*.* will accept addresses from to

  • Using x-y, called hyphenated octet, you can define a specific range of allowed addresses: will accept addresses from to

  • You can mix both asterisks and hyphenated patterns, as long as you respect rules below: 10.0.1-10.* will accept addresses from to

There are specific rules to follow when using this syntax:

  • x must always be greater than y, meaning that:

    • x can only be 0 through 254

    • y can only be x+1 through 255

  • You can have only one hyphenated octet per address.

  • Only asterisks are permitted after a hyphenated octet.

IPv6 addresses

Currently, only the standard IPv6 address format such as 2001:0db8:85a3:0000:0000:8a2e:0370:7334 is supported.