Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
100
Views
0
Helpful
1
Replies

Why Is My Duo Admin API Rate Limit Being Hit Despite Low Traffic?

gabrielladawn
Level 1
Level 1

‎07-20-2025 05:25 AM - edited ‎07-20-2025 05:26 AM

Hello

We are using the Duo Admin API to automate user lifecycle management primarily adding & removing users in sync with our internal provisioning system. While our actual API calls are relatively infrequent (roughly 30–50 per hour); we have been facing rate limit errors (429 Too Many Requests) sporadically; even during off-peak hours.

We have reviewed the official rate limits and confirmed we are far below the documented threshold of 100 requests per minute. We also implemented exponential backoff with retries but the errors still occur unpredictably. This makes us wonder if background polling by another integration or stale API keys may be contributing to silent overuse. As I am exploring automation roles including understanding what is a Prompt Engineer? I find it essential to grasp how API behaviors like rate limits can silently disrupt downstream workflows.

 

Has anyone else experienced similar rate-limit issues despite seemingly low usage? Any tips for better visibility into API consumption per integration / ways to proactively audit key activity would be greatly appreciated.

 

 

 

 

 

 

 

Thank you !!

 

 

 

 

 

 

 

 

 

 

Thank you !!

Labels:
0 Helpful
1 Reply 1

Enes Simnica
Level 4
Level 4

‎07-20-2025 06:18 AM

hello @gabrielladawn. I've seen similar Duo API rate limit issues even under low loads. Key findings from my deployments:

  1. HIdden causes:  
  • Duo's per-endpoint limits (some APIs have tighter quotas than the global 100/min)
  • Cached credentials triggering auth storms
  • Duo Mobile background checks consuming slots
  1. dont forget to use soem debugs: and as i can remember i used something like this; to check the perKey usage...
curl -H "Authorization: Basic $(echo -n '<ikey>:<skey>' | base64)" \
https://api.duosecurity.com/admin/v1/logs/administrator | grep -A 5 "rate_limit"

the other thing that i would do is: Proactive fixes, meaning Implement request pacing (max 2/sec even if under 100/min), then rotate keys monthly and audit orphans, and why not use dedicated keys per integration. Also i have to tell u man, that the most common fices I've implemented is adding 500ms delays between sequential calls, which resolved 90% of false 429s.

check these links G:

hope it helps G..

 

-Enes

more Cisco?!
more Gym?!
0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents