🐛 Bug Report: Using API frequently results in 429 Too Many Requests #603

Closed
opened 2026-02-04 20:38:01 +03:00 by OVERLORD · 2 comments
Owner

Originally created by @meerumschlungen on GitHub (Jan 11, 2026).

Reproduction steps

First, thank you so much for your great work! I love Pocket-ID.
I decided to report a bug since this is an issue for me, but I understand that it could be considered a feature request.
Currently, I'm managing about 40 OIDC clients for 12 users in a homelab. Managing this via the UI is difficult, so I try to do so via infrastructure as code. I use Trozz/terraform-provider-pocketid (to which I also contribute) to configure PocketID via Terraform/OpenTofu.
The hard rate-limiting thresholds in pocket-id are a problem.

Expected behavior

In my scenario, it would be ideal to be able to increase the rate-limiting threshold by an order of magnitude, or better yet, opt out of it completely, to allow for full control with an external reverse proxy. In my opinion, baking it into the software is a questionable design decision.

Actual Behavior

Often, deploying stuff is an issue because, during deployment, the system reads the state of all individual entities via separate API calls, which effectively bursts the API. These calls are often throttled during subsequent deployments and eventually rate-limited with an HTTP response code of 429 (Too Many Requests).
I found a discussion #1118 that states the rate-limiting behavior of PocketID is currently not configurable.

Pocket ID Version

v2.1.0

Database

SQLite

OS and Environment

Docker version 29.1.3 on Ubuntu 24.04.3 LTS served via traefik v3.6.6

Log Output

No response

Originally created by @meerumschlungen on GitHub (Jan 11, 2026). ### Reproduction steps First, thank you so much for your great work! I love Pocket-ID. I decided to report a bug since this is an issue for me, but I understand that it could be considered a feature request. Currently, I'm managing about 40 OIDC clients for 12 users in a homelab. Managing this via the UI is difficult, so I try to do so via infrastructure as code. I use [Trozz/terraform-provider-pocketid](https://github.com/Trozz/terraform-provider-pocketid) (to which I also contribute) to configure PocketID via Terraform/OpenTofu. The hard rate-limiting thresholds in pocket-id are a problem. ### Expected behavior In my scenario, it would be ideal to be able to increase the rate-limiting threshold by an order of magnitude, or better yet, opt out of it completely, to allow for full control with an external reverse proxy. In my opinion, baking it into the software is a questionable design decision. ### Actual Behavior Often, deploying stuff is an issue because, during deployment, the system reads the state of all individual entities via separate API calls, which effectively bursts the API. These calls are often throttled during subsequent deployments and eventually rate-limited with an HTTP response code of 429 (Too Many Requests). I found a discussion #1118 that states the rate-limiting behavior of PocketID is currently not configurable. ### Pocket ID Version v2.1.0 ### Database SQLite ### OS and Environment Docker version 29.1.3 on Ubuntu 24.04.3 LTS served via traefik v3.6.6 ### Log Output _No response_
Author
Owner

@stonith404 commented on GitHub (Jan 11, 2026):

I've added a new environment variable DISABLE_RATE_LIMITING in 0d40d30d87. This should be available in the next release :)

@stonith404 commented on GitHub (Jan 11, 2026): I've added a new environment variable `DISABLE_RATE_LIMITING` in 0d40d30d876773c06e6ff44b99fc0988c013650c. This should be available in the next release :)
Author
Owner

@meerumschlungen commented on GitHub (Jan 12, 2026):

Thank you so much for being this responsive!
Just as a side note for people stumbling upon this: rate-limiting can now be disabled but be aware that it is probably not a good idea to just disable it when running into issues without other security measurements in place, especially when pocket-id is facing internet. Follow security principles and establish a suitable and reasonable solution for your environment e.g. perform rate-limiting via reverse proxy, configure fail2ban, etc.

See docs:

You can disable the built-in rate limiting if you want to set your own rate limiting policy. Do not disable this if you don't have your own rate limiting configured in your reverse proxy.

@meerumschlungen commented on GitHub (Jan 12, 2026): Thank you so much for being this responsive! Just as a side note for people stumbling upon this: rate-limiting can now be disabled but be aware that it is probably not a good idea to just disable it when running into issues without other security measurements in place, especially when pocket-id is facing internet. Follow security principles and establish a suitable and reasonable solution for your environment e.g. perform rate-limiting via reverse proxy, configure fail2ban, etc. [See docs](https://pocket-id.org/docs/configuration/environment-variables): > You can disable the built-in rate limiting if you want to set your own rate limiting policy. Do not disable this if you don't have your own rate limiting configured in your reverse proxy.
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/pocket-id#603