redpanda-data · micheleRP · May 27, 2026 · May 27, 2026
@@ -28,6 +28,10 @@ xref:security:cloud-authentication.adoc#account-impersonation[Account impersonat
 
 The free trial for Redpanda Serverless now lasts 30 days, up from 14 days. The $100 (USD) credit allowance and 7-day grace period are unchanged. Sign up at https://www.redpanda.com/try-data-streaming[redpanda.com^]. See xref:get-started:cluster-types/serverless.adoc[Serverless clusters].
 
+=== Service account token rate limits
+
+A daily limit now applies to service account access token requests for each organization. Clients that exceed the limit receive `HTTP 429` responses. Cache tokens until close to expiry to stay within the limit, and contact Redpanda Support if your workload requires a higher daily limit. See xref:security:cloud-authentication.adoc#service-account-token-rate-limits[Service account token rate limits].
+
 == April 2026
 
 === Self-service sign-up through Google Cloud Marketplace

@@ -297,6 +297,47 @@ Make sure to replace the following variables:
 |Client secret.
 |===
 
+=== Service account token rate limits
+
+Redpanda Cloud enforces a daily limit on service account access token requests to `\https://auth.prd.cloud.redpanda.com/oauth/token` for each organization. When you exceed the limit, the token endpoint returns `HTTP 429` with the following response body:
+
+[,json]
+----
+{
+  "error": "too_many_requests",
+  "error_description": "Organization quota exceeded"
+}
+----
+
+Most workloads do not approach this limit. Access tokens are valid for several hours, so cache the token returned by the `/oauth/token` endpoint and reuse it until close to expiry rather than requesting a new token for each API call.
+
+Every response from the token endpoint, including responses that return `HTTP 429`, includes an `Auth0-Organization-Quota-Limit` header that reports your organization's current quota usage. The header carries one or more comma-separated buckets in the form `b=<window>;q=<limit>;r=<remaining>;t=<seconds-to-reset>`. For example:
+
+----
+Auth0-Organization-Quota-Limit: b=per_hour;q=50;r=47;t=3540,b=per_day;q=250;r=247;t=43200
+----
+
+[cols="1,3"]
+|===
+|Field |Description
+
+|`b`
+|Bucket window. For example, `per_hour` or `per_day`.
+
+|`q`
+|The bucket's token-issuance limit.
+
+|`r`
+|Tokens remaining in the current window.
+
+|`t`
+|Seconds until the current window resets.
+|===
+
+When the token endpoint returns `HTTP 429`, find the bucket whose `r` is `0` and back off for that bucket's `t` seconds before retrying.
+
+If your workload requires a higher daily limit, contact https://support.redpanda.com/hc/en-us/requests/new[Redpanda Support^] with your organization ID and your expected token issuance rate.
+
 [[mtls]]
 === Enable mTLS authentication
 :description: Use the Cloud API to enable mTLS for Kafka API, HTTP Proxy, and Schema Registry connections on your Redpanda cluster.