Firebase has enforced usage quotas on your project that limit authentication operations. Common causes include exceeding daily SMS verification limits, phone authentication requests, or password verification attempts. Resolve by upgrading to Blaze plan, using test phone numbers, or requesting a temporary quota increase.
The "auth/quota-exceeded" error occurs when your Firebase Authentication project has exceeded its allocated daily usage limits. On the free Spark plan, Firebase enforces strict quotas for security and resource management. These quotas apply differently depending on your authentication method: SMS verification has a daily limit (typically 50 SMS per day for new projects), phone authentication requests are rate-limited per phone number, and password verification attempts have their own limits. The error message is deliberately vague to prevent quota bypass attacks, but the underlying cause is always that you have hit a resource consumption ceiling.
Go to the Firebase Console, select your project, then navigate to Project Settings > Billing. Confirm whether you are on the Spark (free) plan or Blaze (pay-as-you-go) plan.
If on Spark plan, you have strict daily quotas. If on Blaze, quotas are much higher and mostly pay-per-use.
Go to Project Settings > Quotas to see current daily usage and limits. Look for:
- Account creation limit
- SMS verification quota (typically 50/day)
- Password verification quota
- Email link sign-in quota (5/day on Spark)
Identify which quota you exceeded.
For production apps, upgrade from Spark to Blaze plan in Project Settings > Billing. Blaze uses pay-as-you-go pricing with much higher quotas. Even with Blaze, quotas still exist (e.g., 100 SMS/day default), but you can request increases.
This is the most reliable long-term solution.
If you cannot upgrade immediately, go to Project Settings > Quotas in Firebase Console. Select the quota that was exceeded (e.g., account creation), click "Edit Quotas", and enter your requested limit. Submit the increase request—Firebase may approve temporary increases within 5-10 minutes.
If you are hitting SMS limits:
- Use fictional test phone numbers (Firebase provides a whitelist feature in Authentication > Phone numbers for testing)
- Test across different phone numbers to spread verification attempts
- Enable Activity Logging in Authentication settings to track usage per number
- Contact Firebase support if you need a higher SMS quota for legitimate business reasons
Add delays and attempt limits on the client side:
const MAX_ATTEMPTS = 3;
const DELAY_MS = 5000;
let attemptCount = 0;
async function signInWithPhoneNumber(phoneNumber) {
if (attemptCount >= MAX_ATTEMPTS) {
throw new Error('Too many attempts. Wait before retrying.');
}
attemptCount++;
await new Promise(r => setTimeout(r, DELAY_MS));
return firebase.auth().signInWithPhoneNumber(phoneNumber);
}This prevents your app from hammering Firebase during development.
The "auth/quota-exceeded" error message is intentionally generic to prevent quota bypass attacks. Different authentication methods have different underlying quotas: SMS verification, phone sign-in, password verification, and email link sign-in all have separate limits that can be exhausted independently. On Spark plan, these quotas reset at UTC midnight daily. On Blaze plan, most quotas either scale with usage or can be requested. If you are consistently hitting quotas after upgrading to Blaze, contact Firebase support—they may whitelist your project or offer custom quota adjustments for legitimate high-volume use cases. When testing authentication flows, always use test phone numbers from the Firebase Console whitelist to avoid consuming production SMS quota.
Callable Functions: INTERNAL - Unhandled exception
How to fix "Callable Functions: INTERNAL - Unhandled exception" in Firebase
auth/invalid-hash-algorithm: Hash algorithm doesn't match supported options
How to fix "auth/invalid-hash-algorithm: Hash algorithm doesn't match supported options" in Firebase
Hosting: CORS configuration not set up properly
How to fix CORS configuration in Firebase Hosting
auth/reserved-claims: Custom claims use reserved OIDC claim names
How to fix "reserved claims" error when setting custom claims in Firebase
Callable Functions: UNAUTHENTICATED - Invalid credentials
How to fix "UNAUTHENTICATED - Invalid credentials" in Firebase Callable Functions