API Calls

Below is a table that lists Gigya's Acceptable Use Policy - what is considered fair use of our platform - in numbers of API calls per license type and number of contacts (users).


  Up to 5MUp to 10MUp to 20MUp to 50M> 50M

# of logins per second


# of registrations per second

Identity# of searches per second1015203050
Identity# of other API calls per second120180280420630
Identity# of federated SAML/OIDC sites55101520
Consent# of searches per second55101520
Consent# of other API calls per second5070110160250
Profile# of ds records (Millions)5070110160250
Profile# of Identity Sync incremental records per month (Millions)7.5153070150
Platform## of production sites103090180360
Platform## of test sites3060180360720
Platform## of user keys per account/partner100100100100100
Platform## of app keys per account/partner20305080120
Platform## of SMS messages per month10,00015,00020,00025,00030,000

Rate limits for client-side calls are significantly lower than for server side calls, when making a server-side call, make sure you include appropriate security credentials (app secret or partner secret). Otherwise, the call will be treated as a client-side call for purposes of rate usage, causing you to hit the limit much sooner than you normally would.  

For more information on authorization, see Application Keys.

Rate Limits

In general, Gigya has 3 kinds of rate limits that we impose on the API endpoints:

Client-Side Rate Limits

API rate restrictions that apply to requests made from the client-side (i.e. Web SDK and mobile SDKs). The limitation is quite low (~0.5 per second per endpoint) The key criteria in terms of rate limits is the IP address, so that many users should be able to connect to the service in parallel, but no single IP address can perform a high volume of calls at a given moment.

Server-Side Rate Limits

API rate restrictions that apply to signed/authorized requests made from the server-side (e.g. REST API, PHP SDK, etc...). Although client-side and server-side endpoints use the same URL (e.g. "https://accounts.us1.gigya.com/accounts.getAccountInfo"), server-side requests can be differentiated because they include authorization parameters, such as the Application Key and secret or the partner secret key. These limits are high (~hundreds per second per endpoint) and are not limited by IP address, as it is expected that several server-side requests are made using the same IP address.

Overall Rate Limits

These restrictions apply to an API key, to limit the total number of requests per second that can be processed by our service. These limits are very high.

Load and Security Tests

Load tests and/or security scans may not be performed on the Gigya platform without prior coordination with the Support team.

Failure to coordinate these types of tests in advance will cause Gigya to treat these tests as malicious, automatically triggering security measures which can cause service interruptions to your production systems.