Workflows system limits

There are Workflows best practices and system limits that can impact the design and success of your flow.

Guidance for Workflows scale and performance

Okta Workflows is a powerful and flexible platform for automating identity processes. It's designed, tested, and optimized to handle your lifecycle management, data synchronization, and task automation use cases. You can also extend it to do much more.

This document covers common use cases, important principles, and the limits you should keep in mind when building flows to ensure successful deployments.

To improve your Workflows experience, you need to understand the following.

Supported use cases

While Workflows can do many things, it's optimized for a specific set of identity-related tasks.

Use cases

Templates

Connectors

Okta Workflows is optimized and tested for a set of core workforce identity and customer identity use cases.

Okta develops and curates an expanding library of importable templates. Okta reviews and tests templates before they're released.

Okta maintains a large set of SaaS connectors. These connectors handle API calls through a user-friendly, no-code interface, with optimizations such as built-in backoff and retry.

See Okta Workflows use cases.

See Available Workflows templates.

See Connectors.

Use cases can be classified approximately within three zones.

Green Zone

Yellow Zone

Red Zone

These use cases are well tested and supported:

  • Documented Okta core use cases for workforce and customer identity. See Okta Workflows use cases.

  • Scheduled flows and asynchronous use cases without specific latency requirements.

  • Event-driven provisioning or other interfacing between Okta and third-party SaaS systems, including event hooks.

  • Inbound data reading with Okta search, get, or list cards using data streaming from Okta or third-party systems. See Stream matching records with a helper flow.

These use cases require careful attention to architecture and best practices, and have a higher risk of running into system limits or other caveats. Support is provided on a best effort basis and working with professional services is recommended to ensure success.

  • Okta event hook flows above 100,000 events per day.

  • Moderate scale bulk-data searches or listing from Okta or third-party systems that don't use data streaming (see Stream data with action cards).

  • Synchronous flows such as customizing an auth decision or orchestrating user interaction.

  • Flows with specific low-latency requirement, including inline hooks. See Latency.

  • Flows with moderate latency requirements of 3-60 seconds, understanding that executions may take longer than 60 seconds.

  • One-time large directory imports, migrations, or bulk loads.

  • Custom integrations to third-party systems using raw HTTP requests.

  • Large data processing within a single execution.

  • Flows that start with the API Endpoint card.

Common challenges in this area include:

  • System load may cause a latency variance of 10 times higher than average performance.

  • You may hit rate limits or timeouts with third-party systems.

  • Large flows may be stopped due to excessive memory usage.

  • Flow executions may get stuck in progress.

  • The system may throttle flows due to excessive resource usage. See Execution limits.

These use cases aren't currently supported:

  • Continuous directory synchronization, such as implementing an HRaaS architecture using Workflows and raw user APIs.

  • Flows for on-premises scenarios or support for connections to on-premises applications.

Workflows platform limits

Category

Title

Limit

Description

Flows

Number of active flows per Org

Varies per plan

The maximum number of active flows you can run depends on your plan:

  • Workforce Identity Cloud Free Trial: 5 active flows, with a maximum limit on flow executions

  • Workflows Starter: 5 active flows

  • Light Workflows: 50 active flows

  • Medium Workflows: 150 active flows

  • Unlimited Workflows: Unlimited active flows

Flows that are turned off aren't counted against the limit. The limit is configurable on a per-org basis. See Flow limits.

If you have a legacy Workflows entitlement (for example, from Advanced Lifecycle Management), then you're limited to 100 active parent flows.

Number of flows in an exported folder

Varies per plan

For the Export Flow or Export Folder function cards, the maximum number of flows that you can export in each 15-minute period depends on your plan:

  • Workforce Identity Cloud Free Trial: 10 flows

  • Workflows Starter: 10 flows

  • Light Workflows: 100 flows

  • Medium Workflows: 300 flows

  • Unlimited Workflows: 1000 flows

Your org's export capacity resets every 15 minutes.

To perform a successful export, the number of exported flows can't exceed the assigned limit. Otherwise, the export fails, and no flows are exported.

The total number of flows counted includes flows located within any subfolders.

Flow limits don't apply to exports performed using the Export dialog from the folder sidebar.

Flow Executions

Memory limit for a Workflows instance

100 MB

Limit on the instance variables stored in a flow as part of its execution.

Maximum pause duration

30 days

The amount of time that a flow can be paused as it waits for a person's or a system's response before it terminates.

Maximum steps per flow

2 million

The maximum number of steps that can be executed in a flow.

Number of executions

Only applies to Workforce Identity Cloud Free Trial

1,000 per org

Workforce Identity Cloud Free Trial orgs have a limit on the number of flow executions over the free trial period. This limit is subject to change without notice.

There's no flow executions limit for orgs on the Workflows Starter plan, or the Light, Medium, and Unlimited plans.

Rate limit for flow executions

10 invocations per second per flow

Event and inline hook delivery have different rate limits (see following tables). However, if you're invoking a flow directly from the API, there's a limit of 10 invocations per second per flow.

After the limit is exceeded, Okta returns a 429 error code.

Recursion limit

250

The maximum number of times a helper flow can call itself. Flows that exceed this limit receive the following error message: Stack limit exceeded.

Payload limit

1 MB

If any single message in the execution history exceeds 1 MB, it isn't stored. The entry in the output field is replaced with the following message:

The data returned successfully, but is too large to display.

Despite the message, no error has occurred. There's no impact on the data operations or the ultimate success of the flow.

Flow Files

Attachments

10 MB

The size limit on files inside flows for attachments used in action cards such as the Send Email with Attachment action card for the Gmail connector.

Downloads and uploads

2 GB

The size limit on files inside flows from download or upload action cards, such as:

  • Upload Attachment action card for the Salesforce connector

  • Upload File action card for the Google Drive connector

  • Download Document in Envelope action card for the DocuSign connector.

SFTP file transfers

25 MB

The size limit on files transferred using the SFTP connector cards.

Retention

30 days

The maximum amount of time that any file can be stored in the Workflows file system.

Execution history Data time to live 30 days The time limit on flow execution history that appears in the Workflows Designer console.

Flow Tables

Number of tables

100

The number of tables available in an org.

Row limits

100,000

The maximum number of rows in a table.

You can't add a row to a table after you've reached the limit.

Column limits

256

The maximum number of columns in a table.

You can't add a column to a table after you've reached the limit.

Cell limits

16 KB

The size limit of a single Workflows table cell.

Attempting to update a table cell with an input that is larger than the limit returns an error.

Cell character limits

16,000

Limit on the number of characters in a table cell.

API

Timeout - synchronous

60 seconds

For an incoming HTTP connection to an API endpoint that invokes a synchronous flow, the amount of time it waits before terminating the connection. However, the flow itself isn't terminated.

Timeout - asynchronous

120 seconds

For an HTTP request that must wait for an asynchronous action to complete, the connection is dropped after this limit.

API endpoints

File payload size

100 MB total, 25 MB per part

For a multi-part HTTP request, the maximum payload size is 100 MB. For each part (file, text, password, media, and so forth), the limit is 25 MB.

Latency

Okta Workflows doesn't guarantee execution latency. Usually flows run fast. However, Workflows is a multi-tenant system and doesn't have a latency SLA.

Flows execution times depend on:

  • Complexity of the flow (including built-in waits)

  • Lag between increased demand for system resources and Okta adding extra capacity

  • Latency or rate limiting by third-party APIs

Hooks

There are limits on Okta events used to trigger flows.

There's no guarantee for the order of event hook delivery or flow execution, as it runs in a fully asynchronous environment. It's important to consider that concurrent events could be fired for a single user, and the state of a user may have changed since the event fired.

For example, a user may have been accidentally deactivated and then immediately reactivated. A flow responding to the deactivation event may run before or after the reactivation event, so the user may not be deactivated when the deactivation flow runs.

Delays that result from event hook calls usually resolve in less than 60 minutes. If your event hook calls are delayed for more than 60 minutes, contact Okta support.

In exceptional cases, like an infrastructure failover, Okta may process some requests in a read-only mode until the failover process completes. This could result in a scenario that an event may fire for a process that can't complete.

A password import inline hook is one specific example that Okta Workflows doesn't currently support. While that hook can fire, the password isn't imported because of the read-only mode. Listeners shouldn't delete the user password from a legacy system until they receive a successful user.import.password event. Don't assume that the hook firing is sufficient.

Feature

Limit Type

Limit

Description

Event hooks

Timeout

3 seconds

Okta event hooks have a completion timeout of three seconds with a single retry.

A request isn't retried if your endpoint returns a 4xx HTTP error code.

Any 2xx code is considered successful, and thus the request isn't retried. If the external service endpoint responds with a redirect, it isn't followed.

Number of daily events

400,000

Okta limits each org to 400,000 applicable events within a 24-hour period. After your org reaches this threshold, further event hooks aren't triggered. The System Log receives a warning before hitting the event limit, when the number of events reaches 280,000. The event limit resets 24 hours after the first event.

If a request times out after three seconds, event hooks are retried once. Retries don't count toward the org limit.

Maximum number of event hooks per org

25

A maximum of 25 active event hooks can be configured per org. Each event hook can be configured to deliver multiple event types.

Maximum number of event hooks events per payload

100 events

A maximum of 100 events can be grouped with each event hook payload. Each event hook can be configured to deliver multiple event types.

Inline hooks

Timeout

3 seconds

Okta inline hooks have a completion timeout of three seconds with a single retry.

A request isn't retried if your endpoint returns a 4xx HTTP error code.

Any 2xx code is considered successful, and thus the request isn't retried. If the external service endpoint responds with a redirect, it isn't followed.

Maximum number of inline hooks per org

100

The maximum number of inline hooks that you can configure per org is 100. This is a combined total for any combination of inline hook types.

For more guidelines, see Event Hooks and Inline Hooks.

Automations

Okta automations enable you to prepare and respond to situations that occur during the lifecycle of end users assigned to an Okta group.

Category

Title

Limit

Description

Automations

Maximum number of automations per org

50

The maximum number of combined active and inactive automations for your org is 50.

Maximum number of groups per automation

10

The maximum number of groups per automation is 10.

Maximum number of users per automation

1 million

The maximum number of total summed users included in the group membership applied to a single automation can't exceed 1 million.

When automations are set up with multiple groups, the user count is incremented each time a user is added to a group.

When the total number of users exceeds 1 million, the automation doesn't run and an event is logged in the System Log.

For more guidelines, see Automations.

Connector Builder

Connector Builder creates packages containing API endpoints and data manipulation functions with authentication and branding.

Category

Title

Limit

Description

Submissions

Maximum number of test deployments per org

100 per day

The maximum number of test deployments for all connectors is 100 each day.

Okta API

The Okta API has specific rate limits that apply to all Workflows actions. These rate limits vary by endpoint and pricing plan, but are shared between Workflows actions and actions from external apps. For more information, see Rate Limits.

If you have a custom integration that uses the Okta API but are also experimenting with new Workflows development, you can potentially exceed your Okta rate limit. This results in a disruption to both activities. To avoid this scenario, develop any new flows inside a Preview environment. If you encounter disruptions, pause any new flow until the rate limit resets after 60 seconds.

Okta Connector

The Okta connector in Workflows communicates through the Okta API. However, the rate limits for this built-in connector are slightly different than those for regular Okta API limits.

Category

Title

Limit

Description

API requests - Concurrent

Workflows to an Okta org

30

The maximum number of concurrent requests from Workflows to an Okta org across all endpoints.

GET or READ requests for a specific user

15

The maximum number or concurrent requests from Workflows to the /api/v1/users/${id} endpoint.

This limit doesn't count against the concurrent Workflows requests limit.

API requests - Total

Workflows to an Okta org

6000 per minute

The maximum number of all requests made from Workflow to an Okta org across all endpoints.

If you choose to Authenticate with API Connector cards for connections to the Okta API, then the standard Okta API rate limits apply. See Rate Limits.

Requests made by Workflows through the built-in Okta connector don't appear in the rate limits dashboard, as the standard rate limits don't apply to this connector.

Rate limit remediation

If your needs exceed the default rate limits for the product subscription that you've already purchased, you can purchase a DynamicScale add-on service. You can purchase this add-on annually for a production tenant or temporarily for testing in a sandbox tenant. See DynamicScale rate limits.

In addition, Workforce Identity Cloud orgs created after January 7, 2021 have increased default rate limits. See Workforce multiplier rate limits.

If you have DynamicScale or the workforce multiplier in your environment, the Okta connector limits change to the following:

Category

Title

Limit

Description

API requests - Concurrent

Workflows to an Okta org

Varies per plan

The maximum number of concurrent requests from Workflows to an Okta org across all endpoints.

  • 5x - 50 concurrent requests

  • 10x - 80 concurrent requests

  • 25x - 120 concurrent requests

  • 50x - 150 concurrent requests

GET or READ requests for a specific user

Varies per plan

The maximum number or concurrent requests from Workflows to the /api/v1/users/${id} endpoint.

  • 5x - 25 concurrent requests

  • 10x - 40 concurrent requests

  • 25x - 60 concurrent requests

  • 50x - 75 concurrent requests

The limit doesn't count against the concurrent Workflows requests limit.

Cell Support

Okta Workflows is available for North America, EU, and Asia Pacific/Japan (APJ) production and preview cells.

If your flows send or store any of the following, you must purchase the Okta Regulated Moderate Cloud and execute the Okta Business Associate Agreement (BAA):

  • Protected health information

  • Personal heath data

  • Other sensitive data that is subject to the Health Insurance Portability and Accountability Act (HIPAA)

Okta Workflows isn't covered under the Okta Federal Risk and Authorization Management Program (FedRAMP) authorization package, regardless of cell.