Firebase blocks your authentication requests due to too many attempts in a short period. This is a rate-limiting protection that requires implementing exponential backoff, adding CAPTCHA verification, or adjusting Firebase quota settings.
The "auth/too-many-requests" error is Firebase's rate-limiting mechanism to protect its servers from abuse and suspicious activity patterns. When triggered, it indicates your application or user has exceeded the allowed number of authentication requests within a specific timeframe. Firebase detects unusual request patterns from a device or IP address and temporarily blocks further authentication attempts. This protection applies per customer and can be enabled without warning on accounts showing suspicious traffic. The error typically appears when signing up, logging in, sending verification emails, or performing other auth operations at excessive frequency.
Add delays between retry attempts that increase exponentially. This reduces server load and increases success likelihood.
async function authWithBackoff(authFunction, maxRetries = 3) {
for (let i = 0; i < maxRetries; i++) {
try {
return await authFunction();
} catch (error) {
if (error.code === 'auth/too-many-requests' && i < maxRetries - 1) {
// Exponential backoff: 1s, 2s, 4s, 8s...
const delayMs = Math.pow(2, i) * 1000;
await new Promise(resolve => setTimeout(resolve, delayMs));
} else {
throw error;
}
}
}
}
// Usage
authWithBackoff(() => auth.signInWithEmailAndPassword(email, password));Implement reCAPTCHA (v2 or v3) to distinguish legitimate users from bots, reducing rate limit triggers.
import { initializeAppCheck, ReCaptchaV3Provider } from 'firebase/app-check';
// Initialize App Check with reCAPTCHA v3
initializeAppCheck(app, {
provider: new ReCaptchaV3Provider('YOUR_RECAPTCHA_PUBLIC_KEY'),
isTokenAutoRefreshEnabled: true,
});
// Or for sign-in with reCAPTCHA v2
const recaptchaVerifier = new firebase.auth.RecaptchaVerifier('recaptcha-container');
auth.signInWithPhoneNumber(phoneNumber, recaptchaVerifier)
.then(confirmationResult => {
// Handle confirmation
})
.catch(error => {
if (error.code === 'auth/too-many-requests') {
// User will see reCAPTCHA on next attempt
}
});Use the "Manage sign-ups" feature to increase authentication quotas for your project.
1. Go to Firebase Console > Authentication
2. Click "Sign-up quota" or "Manage sign-ups"
3. Review current limits (varies by plan: Spark=100/day, Pay-as-you-go=higher)
4. Increase the quota for your use case
5. Note: Free Spark plan has fixed limits; consider upgrading for higher quotas
For special use cases or bulk testing, contact Firebase support at least 2-3 weeks in advance.
During development and testing, avoid blocking real email addresses or phone numbers by using test credentials.
// For phone authentication testing, use non-production phone numbers
const testPhoneNumbers = [
'+11234567890',
'+15555555555',
];
// For email testing, use different test accounts each time
const testEmails = [
'[email protected]',
'[email protected]',
];
// This prevents hitting rate limits during developmentTest across multiple devices or use Firebase Emulator Suite to avoid IP-based throttling during local development.
Add client-side delays between authentication operations to stay under Firebase limits.
// Implement minimum delay between auth operations
class AuthRateLimiter {
constructor(minDelayMs = 2000) {
this.minDelayMs = minDelayMs;
this.lastRequestTime = 0;
}
async executeAuthOperation(operation) {
const timeSinceLastRequest = Date.now() - this.lastRequestTime;
if (timeSinceLastRequest < this.minDelayMs) {
await new Promise(resolve =>
setTimeout(resolve, this.minDelayMs - timeSinceLastRequest)
);
}
this.lastRequestTime = Date.now();
return operation();
}
}
const limiter = new AuthRateLimiter(3000); // 3 second minimum between requests
limiter.executeAuthOperation(() => sendPasswordResetEmail(email));Use Firebase Analytics and your logging to identify which operations trigger rate limits.
// Log auth attempts to identify patterns
async function logAuthAttempt(operation, email) {
const timestamp = new Date().toISOString();
console.log(`[${timestamp}] Auth operation: ${operation} - ${email}`);
try {
const result = await performAuthOperation();
console.log('SUCCESS');
return result;
} catch (error) {
if (error.code === 'auth/too-many-requests') {
console.warn('RATE_LIMITED - Wait before retrying');
}
throw error;
}
}
// Review logs to see if specific operations (sendEmailVerification, signUp, etc.)
// are triggering limits more frequentlyFirebase Authentication Limits Documentation: Firebase enforces per-customer rate limits that can change without notice. Abuse protections may be enabled automatically on accounts with suspicious traffic patterns. The exact thresholds vary by operation (sign-up, sign-in, email verification, etc.) and are not publicly documented, making it important to implement defensive coding patterns.
Testing Best Practices: Firebase Emulator Suite (firebase emulators:start) can help you test authentication without hitting production rate limits. Use the emulator during development to avoid blocking development IPs or test email addresses.
Plan Considerations: The Spark (free) plan has daily limits (100 user account creations/day), while Pay-as-you-go plans scale limits. If you need bulk user imports or high-volume auth operations, contact Firebase support weeks in advance to request temporary increases.
Phone Number Rate Limits: SMS verification has separate rate limits (per phone number, per project). Use fictional test numbers starting with +1 (US) to avoid accidentally blocking real users during testing.
Identity Platform vs Firebase Auth: Upgrading to Firebase Auth with Identity Platform provides more generous quotas and additional features for managing rate limiting and authentication at scale.
Callable Functions: INTERNAL - Unhandled exception
How to fix "Callable Functions: INTERNAL - Unhandled exception" in Firebase
auth/invalid-hash-algorithm: Hash algorithm doesn't match supported options
How to fix "auth/invalid-hash-algorithm: Hash algorithm doesn't match supported options" in Firebase
Hosting: CORS configuration not set up properly
How to fix CORS configuration in Firebase Hosting
auth/reserved-claims: Custom claims use reserved OIDC claim names
How to fix "reserved claims" error when setting custom claims in Firebase
Callable Functions: UNAUTHENTICATED - Invalid credentials
How to fix "UNAUTHENTICATED - Invalid credentials" in Firebase Callable Functions