FirebaseUI-Android: "The sms quota for this project has been exceeded" error when using email sign in

@sakuradasb I have the same problem in my integration tests where I use Firebase NodeJS (client). My code hasn’t changed for weeks and it worked. In my case, it happens when I call the firebase.auth().signInWithEmailAndPassword method. I didn’t have any issues with quotas before.

We just started seeing the same error yesterday middle of the day with our web app which is developed in angular. When we look at our actual usage we are no where near our quotas from what we can tell.

Coming here from google as well 😃

In one of our apps running Firebase RealtimeDatabase on a Spark plan, we are experiencing the same issue while calling firebase.auth().signInWithEmailAndPassword(email, password).

The issue occurred yesterday at 2020-06-03T15:42:53.070Z with the following exception:

{
    "errorType": "Error",
    "errorMessage": "Exceeded quota for verifying passwords.",
    "code": "auth/quota-exceeded",
    "message": "Exceeded quota for verifying passwords."
}

We are connecting to Firebase from AWS Lambda, therefore under higher load, we can expect multiple signInWithEmailAndPassword calls in parallel.

I was not able to find details about this quota. Is this documented somewhere? As well, is this quota depending on Plan (are we going to remove the issue with Upgrade to Flame and Blaze plan), or is it a kind of security limit which we are not able to affect?

Thank you very much

Marian

I have the same issue that seems to have started yesterday. I’m not sure it is SMS related, but I don’t see any other login quotas documented so its hard to say for sure what the issue is.

When using this endpoint we sometimes get the error below:

https://www.googleapis.com/identitytoolkit/v3/relyingparty/verifyPassword

{
  "error": {
    "code": 400,
    "message": "QUOTA_EXCEEDED : Exceeded quota for verifying passwords.",
    "errors": [
      {
        "message": "QUOTA_EXCEEDED : Exceeded quota for verifying passwords.",
        "domain": "global",
        "reason": "invalid"
      }
    ]
  }
}

I too am getting this error just today, seemed to work ok before. No code changes on my end.

‘QUOTA_EXCEEDED : Exceeded quota for verifying passwords.’

In my case, a predefined email account is set, and have all app users share the same account to access Firebase Database. (Allowing anonymous signin is not suitable for me)

This works for years until we got ‘Exceeded quota for verifying passwords.’ recently.

@bojeil-google I already have… here was the answer (which is unacceptable imho):

Hi Josh,

My name is Triana from the Firebase support team, I will be happy to help here !

For the error you are facing “Exceeded quota for verifying passwords”, this usually happens when one sends requests for verifying passwords or password login requests too many times at once (more than 20 requests per second per IP address or 25 requests per 10 min per account). When we get a huge amount of requests in a short period of time, the limit is applied automatically to protect our servers.

This is an internal quota (regardless of pricing plans) enforced by Firebase Authentication to prevent abuse when making authentication requests, for this reason the quota can change without notice.

In order to avoid triggering this alert, you can do the following actions:

1. Use a different IP address.

2.Backing off the number of requests per minute to something like 10-20, to avoid triggering the automated abuse detection.

1. Reduce the frequency of attempts.

20 requests per MINUTE?! Really?

This basically makes Firebase Auth unsuitable for:

1. Automated testing
2. CI/CD

I’m gonna go out on a limb here and suggest that Google’s infrastructure could handle more login requests than that per microsecond.

To add on to what @rosalyntan said there are a few things going on here:

• The error message is wrong. The Auth SDK always mentions “sms” when it gets a quota error from the backend even when the quota that was hit is not an SMS-related quota. We’ll fix that.
• We are investigating the deeper issue of why so many people are hitting unexpected quotas, thank you all for reporting this! Your persistence made us realize there was something fishy going on here.

I have the same issue that seems to have started yesterday. I’m not sure it is SMS related, but I don’t see any other login quotas documented so its hard to say for sure what the issue is.

When using this endpoint we sometimes get the error below:

https://www.googleapis.com/identitytoolkit/v3/relyingparty/verifyPassword

{
  "error": {
    "code": 400,
    "message": "QUOTA_EXCEEDED : Exceeded quota for verifying passwords.",
    "errors": [
      {
        "message": "QUOTA_EXCEEDED : Exceeded quota for verifying passwords.",
        "domain": "global",
        "reason": "invalid"
      }
    ]
  }
}

I use endpoint: https://identitytoolkit.googleapis.com/v1/accounts:signInWithPassword also got this error.

I am seeing this issue when calling getIdToken() from an android application. How should we mitigate this? Caching the id token leads to complexity on when to refresh it, and it should be handled by firebase. I need to get the id token before making server api calls, so this is used quite frequently.

I am getting a same error from when our website nodejs call email authentication. Firebase SDK returns the message “Exceeded quota for verifying passwords.”.

Thousands of our website “https://dasshutsu.games/” users are having trouble playing the games.

I hope this problem will be fixed quickly.

found this via googling, I am getting a similiar error when I use a nodejs app to send messages to PubSub… the messages are subsquently processed, and inserted into Firestore.

Same here. Sign in with email authentication, but got sms quota exceeded messages.

AuthChimeraService: Error description received from server: QUOTA_EXCEEDED : Exceeded quota for verifying passwords.

com.google.firebase.FirebaseTooManyRequestsException: The sms quota for this project has been exceeded. [ Exceeded quota for verifying passwords. ] at com.google.firebase.auth.api.internal.zzeh.zza(com.google.firebase:firebase-auth@@19.3.0:31) at com.google.firebase.auth.api.internal.zzfo.zza(com.google.firebase:firebase-auth@@19.3.0:21) at com.google.firebase.auth.api.internal.zzfe.zza(com.google.firebase:firebase-auth@@19.3.0:34) at com.google.firebase.auth.api.internal.zzfg.zza(com.google.firebase:firebase-auth@@19.3.0:74) at com.google.firebase.auth.api.internal.zzen.zza(com.google.firebase:firebase-auth@@19.3.0:18) at com.google.android.gms.internal.firebase_auth.zza.onTransact(com.google.firebase:firebase-auth@@19.3.0:13) at android.os.Binder.execTransactInternal(Binder.java:1021) at android.os.Binder.execTransact(Binder.java:994)

You could even file for a feature request to whitelist calls from certain IP addresses, etc.

This would definitely be well received.

If you are sending too many requests in a short period of time from the same IP address, then there is an expectation that you will get throttled at some point. It may suck for your integration tests but there is a security benefit that comes with that. The easier it is for you to test, the easier it is for malicious scripts to be written too against your project. We have similar integration tests in other firebase auth libraries (client and admin) and we try to work with the limit. This is true for all services. It is not unique to Firebase or Google.

If you have a legitimate need to increase the limit, then you can file a bug with support and make a case for that. You could even file for a feature request to whitelist calls from certain IP addresses, etc.

We are tracking this internally at b/157950613.

Today, I also got QUOTA_EXCEEDED : Exceeded quota for verifying passwords.…why? My code no change…before work many time…until today…

@FrancoSabadini really sorry about the slow response here! That’s my fault.

@lsirac can you help me figure out what backend quota this is and how we can avoid it?