This document contains current content limits and rate quotas for Google Cloud Fraud Defense. This page will be updated to reflect any changes to these restrictions and usage limits.
Rate quotas
The current API usage quotas are as follows (and are subject to change):
| Quota | Value |
|---|---|
| Requests per calendar month (if billing is not enabled) | 10000 |
| Requests per minute | 60000 |
| MFA Requests via email per email address per day | 10 |
| MFA Requests via SMS per phone number per day | 10 |
| MFA Requests via SMS per phone number per 4 hours | 5 |
| MFA Requests (email/SMS) per day | 10000 |
These limits apply to each Google Cloud console project and are shared across all applications and IP addresses using that project.
When you reach a quota limit
When your API usage quotas exceed the specified quotas limit,
any new request returns an HTTP error with a Resource Exhausted (429) status
code.
For V2, an end-user-visible error message is shown similar to the following
message: This site is exceeding reCAPTCHA quota.
What to do if you expect to go over the quotas
To use reCAPTCHA above the monthly free quota, enable billing for your Google Cloud project. The monthly assessment quota is reset on the first day of each month.
If you expect to exceed other quotas, reach out to your assigned Google Cloud sale point of contact. If you don't have an assigned Google Cloud sale point of contact, contact Google Cloud sales.
For more information about quota errors and status codes, see Troubleshoot quota errors.
Endpoint behavior when exceeding the monthly free quota
Google Cloud projects without an active billing account are subject to a free tier limit. When this quota is exceeded, the CreateAssessment and SiteVerify endpoints exhibit different behavior:
CreateAssessment: Requests that exceed the quota fail in a closed state. This means that the API returns an error, typically anHTTP 429 (Too Many Requests)status code or aRESOURCE_EXHAUSTEDerror. When this occurs, no assessment is created. To help prevent this, over-quota notifications and emails can alert you about a missing billing account.SiteVerify: Requests that exceed the quota fail in an open state. The API returns anHTTP 200 (OK)status. The response body indicatessuccess:truebut contains a static score of 0.9 and an error message indicating that you exceeded the quota. This behavior is designed to prevent valid users from being blocked.