mirror of
https://github.com/pocket-id/pocket-id.git
synced 2026-07-16 05:54:01 +03:00
🐛 Bug Report: Using API frequently results in 429 Too Many Requests #603
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @meerumschlungen on GitHub (Jan 11, 2026).
Reproduction steps
First, thank you so much for your great work! I love Pocket-ID.
I decided to report a bug since this is an issue for me, but I understand that it could be considered a feature request.
Currently, I'm managing about 40 OIDC clients for 12 users in a homelab. Managing this via the UI is difficult, so I try to do so via infrastructure as code. I use Trozz/terraform-provider-pocketid (to which I also contribute) to configure PocketID via Terraform/OpenTofu.
The hard rate-limiting thresholds in pocket-id are a problem.
Expected behavior
In my scenario, it would be ideal to be able to increase the rate-limiting threshold by an order of magnitude, or better yet, opt out of it completely, to allow for full control with an external reverse proxy. In my opinion, baking it into the software is a questionable design decision.
Actual Behavior
Often, deploying stuff is an issue because, during deployment, the system reads the state of all individual entities via separate API calls, which effectively bursts the API. These calls are often throttled during subsequent deployments and eventually rate-limited with an HTTP response code of 429 (Too Many Requests).
I found a discussion #1118 that states the rate-limiting behavior of PocketID is currently not configurable.
Pocket ID Version
v2.1.0
Database
SQLite
OS and Environment
Docker version 29.1.3 on Ubuntu 24.04.3 LTS served via traefik v3.6.6
Log Output
No response
@stonith404 commented on GitHub (Jan 11, 2026):
I've added a new environment variable
DISABLE_RATE_LIMITINGin0d40d30d87. This should be available in the next release :)@meerumschlungen commented on GitHub (Jan 12, 2026):
Thank you so much for being this responsive!
Just as a side note for people stumbling upon this: rate-limiting can now be disabled but be aware that it is probably not a good idea to just disable it when running into issues without other security measurements in place, especially when pocket-id is facing internet. Follow security principles and establish a suitable and reasonable solution for your environment e.g. perform rate-limiting via reverse proxy, configure fail2ban, etc.
See docs: