Workflows system limits

There are Workflows best practices and system limits that can impact the design and success of your flow.

Guidance for Workflows scale and performance
Supported use cases
Workflows platform limits
Latency
Hooks
Automations
Okta API
Cell Support

Guidance for Workflows scale and performance

Okta Workflows is a powerful and flexible platform for automating identity processes. It's designed, tested, and optimized for a growing set of lifecycle management, data synchronization, and task automation use cases, and can be extended to do much more.

In this section, read about common use cases, important principles and limits to keep in mind when building flows, and how to ensure successful deployments.

As a Workflows customer, you'll be more successful when you perform these tasks:

Understand supported use cases. See Supported use cases.
Build flows using best practices and strong architecture. See Best practices for building flows.
Understand the system's hard limits. See Workflows platform limits.

Supported use cases

While Workflows can do many things, it's optimized for a specific set of identity-related tasks. These are documented in both our help center and within Workflows using various resources.

Use cases	Templates	Connectors
Workflows is optimized and tested for a set of core workforce identity and customer identity use cases. See Okta Workflows use cases.	Okta develops and curates an expanding library of importable templates. These are reviewed by Okta before they're released. See Available Workflows templates.	Okta maintains a large set of native SaaS connectors that include easy API connectivity, improved usability and documentation, and optimizations such as built-in backoff and retry. See Connectors.

Use cases

Templates

Connectors

Workflows is optimized and tested for a set of core workforce identity and customer identity use cases.

See Okta Workflows use cases.

Okta develops and curates an expanding library of importable templates. These are reviewed by Okta before they're released.

See Available Workflows templates.

Okta maintains a large set of native SaaS connectors that include easy API connectivity, improved usability and documentation, and optimizations such as built-in backoff and retry.

See Connectors.

Use cases can be classified approximately within three zones.

Green Zone	Yellow Zone	Red Zone
These use cases are well tested and supported: Documented Okta core use cases for workforce and customer identity. See Okta Workflows use cases. Scheduled flows and asynchronous use cases without specific latency requirements. Event-driven provisioning or other interfacing between Okta and third-party SaaS systems, including event hooks. Inbound data reading with Okta search, get, or list cards using data streaming from Okta or third-party systems. See Set up the stream matching option with a helper flow.	These use cases require careful attention to architecture and best practices, and have a higher risk of running into system limits or other caveats. Support is provided on a best effort basis and working with professional services is recommended to ensure success. Okta event hook flows above 100,000 events per day. Moderate scale bulk-data searches or listing from Okta or third-party systems that don't use data streaming (see Data streaming with action cards). Synchronous flows such as customizing an auth decision or orchestrating user interaction. Flows with specific low-latency requirement, including inline hooks. See Latency. Flows with moderate latency requirements of 3–60 seconds, with understanding that at times executions may take longer than 60 seconds. One-time large directory imports, migrations, or bulk loads. Custom integrations to third-party systems using raw HTTP requests. Large data processing within a single execution. Flows that start with the API Endpoint card. Common challenges in this area include: System load may cause latency variance of 10 times or more than average performance. You may hit rate limits or timeouts with third-party systems. Large flows may be stopped due to excessive memory usage. The system may throttle flows due to excessive resource usage. See Execution limits.	These use cases aren't currently supported: Continuous directory synchronization, such as implementing an HRaaS architecture using Workflows and raw user APIs. Flows for on-premises scenarios or support for connections to on-premises applications.

Green Zone

Yellow Zone

Red Zone

These use cases are well tested and supported:

Documented Okta core use cases for workforce and customer identity. See Okta Workflows use cases.
Scheduled flows and asynchronous use cases without specific latency requirements.
Event-driven provisioning or other interfacing between Okta and third-party SaaS systems, including event hooks.
Inbound data reading with Okta search, get, or list cards using data streaming from Okta or third-party systems. See Set up the stream matching option with a helper flow.

These use cases require careful attention to architecture and best practices, and have a higher risk of running into system limits or other caveats. Support is provided on a best effort basis and working with professional services is recommended to ensure success.

Okta event hook flows above 100,000 events per day.
Moderate scale bulk-data searches or listing from Okta or third-party systems that don't use data streaming (see Data streaming with action cards).
Synchronous flows such as customizing an auth decision or orchestrating user interaction.
Flows with specific low-latency requirement, including inline hooks. See Latency.
Flows with moderate latency requirements of 3–60 seconds, with understanding that at times executions may take longer than 60 seconds.
One-time large directory imports, migrations, or bulk loads.
Custom integrations to third-party systems using raw HTTP requests.
Large data processing within a single execution.
Flows that start with the API Endpoint card.

Common challenges in this area include:

System load may cause latency variance of 10 times or more than average performance.
You may hit rate limits or timeouts with third-party systems.
Large flows may be stopped due to excessive memory usage.
The system may throttle flows due to excessive resource usage. See Execution limits.

These use cases aren't currently supported:

Continuous directory synchronization, such as implementing an HRaaS architecture using Workflows and raw user APIs.
Flows for on-premises scenarios or support for connections to on-premises applications.

Workflows platform limits

Category	Title	Limit	Description
Flows	Number of active flows per Org	Varies per plan	An admin is allowed to run a maximum number of active flows according to these tiers: Workflows Starter: 5 active flows Light Workflows: 50 active flows Medium Workflows: 150 active flows Unlimited Workflows: Unlimited active flows Flows that are turned off aren't counted against the limit. The limit is configurable on a per-org basis. See Flow limits. If you have a legacy Workflows entitlement (for example, from Advanced Lifecycle Management), then you're limited to 100 active parent flows.
Flows	Number of flows in an exported folder	Varies per plan	Using the Export Flow function card, the maximum number of flows that you can export is determined by your Workflows subscription plan. Your organization’s available export capacity is reset every 15 minutes. To perform a successful export, the number of exported flows can't exceed the assigned limit. Otherwise, the export fails in its entirety, and no flows will be exported. Flow limits don't apply to exports that are performed using the Workflows Export dialog.
Flow Executions	Workflows instance memory limit	100 MB	Limit on the instance variables that are stored in a flow as part of its execution.
	Maximum pause duration	30 days	The amount of time that a flow can be paused as it waits for a person's or a system's response before it terminates.
	Maximum steps per flow	2 million	The maximum number of steps that can be executed in a flow.
	Rate limit for flow executions	10 invocations per second per flow	There are different limits for event and inline hook delivery (see following tables). However, if you're invoking a flow directly from the API, there's a limit of 10 invocations per second per flow. Once that limit is exceeded, a 429 response code occurs.
	Recursion limit	250	The maximum number of times a helper flow can call itself. Flows that exceed this limit will encounter the following error message: Stack limit exceeded.
	Payload limit	1 MB	If any single message in the Flow History exceeds 1 MB in size, then it will not be stored. The entry in the output field is replaced with the following message: The data returned successfully, but is too large to display. Despite the message, no error has occurred. There's no impact on the success of the flow, and the data will still be operated on as expected.
Flow Files	Attachments	10 MB	The size limit on files inside flows for attachments used in action cards such as the Send Email with Attachment action card for the Gmail connector.
	Downloads and uploads	2 GB	The size limit on files inside flows from download or upload action cards, such as: Upload Attachment action card for the Salesforce connector Upload File action card for the Google Drive connector Download Document in Envelope action card for the DocuSign connector.
	Retention	30 days	The maximum amount of time that any file can be stored in the Workflows file system.
Flow History	Data time to live	30 days	The time limit on flow Execution history that appears in the Workflows Designer console.
Flow Tables	Number of tables	100	The number of tables available in an org. This limit is configurable on a per-org basis.
	Row limits	100,000	The maximum number of rows in a table. You can't add a row to a table after you've reached the limit.
	Column limits	256	The maximum number of columns in a table. You can't add a column to a table after you've reached the limit.
	Cell limits	16 KB	The size limit of a single Workflows table cell. If you update a table cell with an input that is larger than the limit, an error will be returned.
	Cell character limits	16,000	Limit on the number of characters in a table cell.
API	Timeout	60 seconds	For an incoming HTTP connection to an API Endpoint that invokes a synchronous flow, the amount of time it waits before terminating the connection. However, the flow itself won't be terminated.
API Endpoints	File payload size	100 MB total, 25 MB per part	For an HTTP multipart request, the maximum payload size is 100 MB. For each part (file, text, password, media, and so forth), the limit is 25 MB.

Latency

Workflows doesn't guarantee execution latency. Usually flows run very fast. However, Workflows is a multi-tenant system and doesn't have a latency SLA.

Flows execution times depend on:

Complexity of the flow (including built-in waits)
Lag between increased demand for system resources and Okta adding extra capacity
Latency or rate limiting by third-party APIs

Because specific latency can't be guaranteed, Workflows shouldn't be used in any flows where execution time is critical to the scenario, such as token enrichment or customizing authorization decisions.

Hooks

There are limits on Okta events that are used to trigger flows.

Neither event hook delivery nor flow execution order is guaranteed. It's a fully asynchronous environment. It's important to consider that concurrent events could be fired for a single user, and the state of a user may have changed since the event was fired. For example, a user may have been deactivated accidentally and then immediately reactivated. A flow that responds to the deactivation event may run either before or after the reactivation event. Similarly, the user may no longer be deactivated by the time the deactivation flow runs.

There are some more complex considerations. In exceptional cases, like an infrastructure failover, Okta may process some requests in a read-only mode until the failover is complete. That means that an event may fire for a process that can't complete. The best example is one that isn't currently supported by the Workflow product: Password import inline hook. It's possible for that hook to fire, but the password isn't imported because of the read-only mode. Listeners shouldn’t delete the user password from a legacy system until they see a successful user.import.password event and not assume that the hook firing was sufficient.

Feature	Limit Type	Limit	Description
Event hooks	Timeout	3 seconds	Okta event hooks have a completion timeout of three seconds with a single retry. A request isn't retried if your endpoint returns a 4xx HTTP error code. Any 2xx code is considered successful, and thus the request isn't retried. If the external service endpoint responds with a redirect, it isn't followed.
	Number of daily event hooks	200,000	A max of 200,000 Event Hooks can be fired per org per day. Event hooks aren't recorded or replayed after this point. Outside of hitting the daily limit, Workflows event hooks are retried up to a certain time limit.
	Maximum number of event hooks per org	10	A maximum of 10 active Event Hooks can be configured per org. Each event hook can be configured to deliver multiple event types.
	Maximum number of event hooks events per payload	100 events	A maximum of 100 events can be grouped with each event hook payload. Each event hook can be configured to deliver multiple event types.
Inline hooks	Timeout	3 seconds	Okta inline hooks have a completion timeout of three seconds with a single retry. A request isn't retried if your endpoint returns a 4xx HTTP error code. Any 2xx code is considered successful, and thus the request isn't retried. If the external service endpoint responds with a redirect, it isn't followed.
Inline hooks	Maximum number of inline hooks per org	50	The maximum number of inline hooks that can be configured per org is 50. This is a combined total for any combination of inline hook types.

For more guidelines, see Event Hooks and Inline Hooks.

Automations

Okta automations enable you to prepare and respond to situations that occur during the lifecycle of end users assigned to an Okta group.

Category	Title	Limit	Description
Automations	Maximum number of automations per org	50	The maximum number of combined active and inactive automations for your org is 50.
Maximum number of groups per automation	10	The maximum number of groups per automation is 10.
Maximum number of users per automation	1 million	The maximum number of total summed users included in the group membership applied to a single automation can't exceed 1 million. When automations are set up with multiple groups, the user count is incremented each time a user is added to a group. When the total number of users exceeds 1 million, the automation doesn't run and an event is logged in the System log.

Okta API

The Okta API has specific per-org rate limits that apply to all actions taken by Workflows. These rate limits vary by endpoint and pricing plan, but are shared between Workflows actions and actions from external apps. For more information, see Rate Limits.

If you have a custom integration using the Okta API and are also experimenting with new Workflows development, you can exceed your Okta rate limit and disrupt both activities. It's recommended to develop new flows in a preview environment to avoid these issues. If disruptions do occur, pause any new flow until the rate limit rests in the next minute.

Cell Support

Workflows is available for North America, EU, and Asia Pacific/Japan (APJ) production and preview cells.

Customers must purchase the Regulated Community Cloud Cell and execute Okta's Business Associate Agreement (BAA) to send or store in Okta Workflows any protected health information, personal heath data, or other sensitive data that is subject to the Health Insurance Portability and Accountability Act (HIPAA).

Okta Workflows isn't covered under Okta’s FedRAMP authorization package regardless of cell.