Below is a table that lists Gigya's Acceptable Use Policy - what is considered fair use of our platform - in numbers of API calls per license type and number of contacts (users).
|Up to 5M||Up to 10M||Up to 20M||Up to 50M||> 50M|
# of logins per second
# of registrations per second
|Identity||# of searches per second||10||15||20||30||50|
|Identity||# of other API calls per second||120||180||280||420||630|
|Identity||# of federated SAML/OIDC sites||5||5||10||15||20|
|Consent||# of searches per second||5||5||10||15||20|
|Consent||# of other API calls per second||50||70||110||160||250|
|Profile||# of ds records (Millions)||50||70||110||160||250|
|Profile||# of Identity Sync incremental records per month (Millions)||7.5||15||30||70||150|
|Platform||## of production sites||10||30||90||180||360|
|Platform||## of test sites||30||60||180||360||720|
|Platform||## of user keys per account/partner||100||100||100||100||100|
|Platform||## of app keys per account/partner||20||30||50||80||120|
|Platform||## of SMS messages per month||10,000||15,000||20,000||25,000||30,000|
Rate limits for client-side calls are significantly lower than for server side calls, when making a server-side call, make sure you include appropriate security credentials (app secret or partner secret). Otherwise, the call will be treated as a client-side call for purposes of rate usage, causing you to hit the limit much sooner than you normally would.
For more information on authorization, see Application Keys.
In general, Gigya has 3 kinds of rate limits that we impose on the API endpoints:
Client-Side Rate Limits
API rate restrictions that apply to requests made from the client-side (i.e. Web SDK and mobile SDKs). The limitation is quite low (~0.5 per second per endpoint) The key criteria in terms of rate limits is the IP address, so that many users should be able to connect to the service in parallel, but no single IP address can perform a high volume of calls at a given moment.
Server-Side Rate Limits
API rate restrictions that apply to signed/authorized requests made from the server-side (e.g. REST API, PHP SDK, etc...). Although client-side and server-side endpoints use the same URL (e.g. "https://accounts.us1.gigya.com/accounts.getAccountInfo"), server-side requests can be differentiated because they include authorization parameters, such as the Application Key and secret or the partner secret key. These limits are high (~hundreds per second per endpoint) and are not limited by IP address, as it is expected that several server-side requests are made using the same IP address.
Overall Rate Limits
These restrictions apply to an API key, to limit the total number of requests per second that can be processed by our service. These limits are very high.
Load tests and/or security scans may not be performed on the Gigya platform without prior coordination with the Support team.
Failure to coordinate these types of tests in advance will cause Gigya to treat these tests as malicious, automatically triggering security measures which can cause service interruptions to your production systems.