- Request throttling (proactive): Prowler paces outbound requests through a shared limiter so scans stay under Okta’s rate limits and rarely trigger a rate-limit response in the first place.
- Retries (reactive): When Okta still returns a rate-limit response (HTTP 429), the official Okta Python SDK reads the
X-Rate-Limit-Resetheader and waits until the window resets before retrying. This acts as a safety net for occasional bursts.
Request Throttling (Requests per Second)
Throttling is the primary control for avoiding rate limits. Prowler limits the aggregate number of Okta API requests per second across every service in a scan.Using the Command Line Flag
0 to disable throttling.
Using the Configuration File
Retries
Retries cover the cases throttling does not prevent, such as short bursts or per-endpoint limits lower than the global cap.Using the Command Line Flag
Using the Configuration File
How It Works
- Automatic detection: The Okta SDK retries the retryable statuses 429, 503, and 504.
- Reset-aware backoff: On a 429 response the SDK sleeps until the
X-Rate-Limit-Resetwindow before each retry, rather than using a fixed delay. - Bounded attempts:
okta_max_retriescaps how many times a single request is retried. The Okta SDK default is 2, which is often too low for large organizations, so Prowler defaults to 5.
Request Timeout
Theokta_request_timeout setting plays a dual role in the Okta SDK:
- It is the per-request socket timeout, bounding how long a single HTTP call can hang.
- It is also the total wall-clock budget for the whole retry-and-backoff loop of one request.
okta_request_timeout greater than or equal to okta_max_retries multiplied by 60 when raising the retry count, because Okta reset windows are typically up to one minute.
Error Example Handled
Validation
Debug Logging
To confirm that throttling and retries are active, run a scan with debug logging:Check the Messages
Expected Output
When throttling is enabled, Prowler logs the configured rate at startup:Troubleshooting
If scans continue to hit rate limits:- Lower
--okta-requests-per-secondso requests are paced more conservatively. - Raise
--okta-retries-max-attempts(and keepokta_request_timeoutproportionally large) so the safety net absorbs more bursts. - Review the rate-limit allocation for the Okta organization and request an increase if needed.
- Verify throttling and retry behavior with debug logging.

