diff --git a/modules/get-started/pages/whats-new-cloud.adoc b/modules/get-started/pages/whats-new-cloud.adoc index 5f7b413ff..bbaba1d7b 100644 --- a/modules/get-started/pages/whats-new-cloud.adoc +++ b/modules/get-started/pages/whats-new-cloud.adoc @@ -28,6 +28,10 @@ xref:security:cloud-authentication.adoc#account-impersonation[Account impersonat The free trial for Redpanda Serverless now lasts 30 days, up from 14 days. The $100 (USD) credit allowance and 7-day grace period are unchanged. Sign up at https://www.redpanda.com/try-data-streaming[redpanda.com^]. See xref:get-started:cluster-types/serverless.adoc[Serverless clusters]. +=== Service account token rate limits + +A daily limit now applies to service account access token requests for each organization. Clients that exceed the limit receive `HTTP 429` responses. Cache tokens until close to expiry to stay within the limit, and contact Redpanda Support if your workload requires a higher daily limit. See xref:security:cloud-authentication.adoc#service-account-token-rate-limits[Service account token rate limits]. + == April 2026 === Self-service sign-up through Google Cloud Marketplace diff --git a/modules/security/pages/cloud-authentication.adoc b/modules/security/pages/cloud-authentication.adoc index 5926846e2..ebd38e7d4 100644 --- a/modules/security/pages/cloud-authentication.adoc +++ b/modules/security/pages/cloud-authentication.adoc @@ -297,6 +297,47 @@ Make sure to replace the following variables: |Client secret. |=== +=== Service account token rate limits + +Redpanda Cloud enforces a daily limit on service account access token requests to `\https://auth.prd.cloud.redpanda.com/oauth/token` for each organization. When you exceed the limit, the token endpoint returns `HTTP 429` with the following response body: + +[,json] +---- +{ + "error": "too_many_requests", + "error_description": "Organization quota exceeded" +} +---- + +Most workloads do not approach this limit. Access tokens are valid for several hours, so cache the token returned by the `/oauth/token` endpoint and reuse it until close to expiry rather than requesting a new token for each API call. + +Every response from the token endpoint, including responses that return `HTTP 429`, includes an `Auth0-Organization-Quota-Limit` header that reports your organization's current quota usage. The header carries one or more comma-separated buckets in the form `b=;q=;r=;t=`. For example: + +---- +Auth0-Organization-Quota-Limit: b=per_hour;q=50;r=47;t=3540,b=per_day;q=250;r=247;t=43200 +---- + +[cols="1,3"] +|=== +|Field |Description + +|`b` +|Bucket window. For example, `per_hour` or `per_day`. + +|`q` +|The bucket's token-issuance limit. + +|`r` +|Tokens remaining in the current window. + +|`t` +|Seconds until the current window resets. +|=== + +When the token endpoint returns `HTTP 429`, find the bucket whose `r` is `0` and back off for that bucket's `t` seconds before retrying. + +If your workload requires a higher daily limit, contact https://support.redpanda.com/hc/en-us/requests/new[Redpanda Support^] with your organization ID and your expected token issuance rate. + [[mtls]] === Enable mTLS authentication :description: Use the Cloud API to enable mTLS for Kafka API, HTTP Proxy, and Schema Registry connections on your Redpanda cluster.