"The sms quota for this project has been exceeded" error when using email sign in

[francos]

Describe your environment

• Android device: Samsung Galaxy S9 (US) (the issue happened in more than one device in Firebase Test Lab)
• Android OS version: API Level 26
• Google Play Services version: 16.0.1
• Firebase/Play Services SDK version: 16.0.8
• FirebaseUI version: 4.2.1

Step 3: Describe the problem:

Sometimes, when trying to sign in using email authentication, the sign-in fails with the error com.google.firebase.FirebaseTooManyRequestsException: The sms quota for this project has been exceeded.. This error seems incorrect as I'm not using SMS verification at all.

The sign-in/up that fails uses email-password only. Google and Facebook are enabled for users to use but they are not used when this error happens.

Steps to reproduce:

1. Add FirebaseUI to an app with Email, Google and Facebook authentication:

startActivityForResult(authUI.createSignInIntentBuilder()
                               .setAvailableProviders(listOf(GoogleBuilder().build(),
                                                             FacebookBuilder().build(),
                                                             EmailBuilder().build()))
                               .setLogo(R.drawable.img_logo_auth_firebase)
                               .setTheme(R.style.AppTheme_NoActionBar)
                               .setIsSmartLockEnabled(false, false)
                               .build(), RC_SIGN_IN)

2. Sign in using email.

IMPORTANT: This error doesn't happen always, only sometimes.

Observed Results:

App logs that show the error:

05-31 15:31:15.575: I/AuthChimeraService(17208): Executing request: ProxyRequest[ url: https://www.googleapis.com/identitytoolkit/v3/relyingparty/verifyPassword?alt=proto&key=AIzaSyAoDYMA20kdNy-hROrNp0ofU28Nk6fzT_A, method: 1 ]
05-31 15:31:15.580: I/HWComposer(702): getActiveConfigs: Attempted to access invalid display -1
05-31 15:31:15.585: I/System.out(17208): (HTTPLog)-Static: isSBSettingEnabled false
05-31 15:31:15.585: I/System.out(17208): (HTTPLog)-Static: isSBSettingEnabled false
05-31 15:31:15.596: I/HWComposer(702): getActiveConfigs: Attempted to access invalid display -1
05-31 15:31:15.613: I/HWComposer(702): getActiveConfigs: Attempted to access invalid display -1
05-31 15:31:15.643: E/Volley(17208): [1968] BasicNetwork.performRequest: Unexpected response code 400 for https://www.googleapis.com/identitytoolkit/v3/relyingparty/verifyPassword?alt=proto&key=AIzaSyAoDYMA20kdNy-hROrNp0ofU28Nk6fzT_A
05-31 15:31:15.644: I/AuthChimeraService(17208): Error description received from server: QUOTA_EXCEEDED : Exceeded quota for verifying passwords.
05-31 15:31:15.651: W/FirebaseAuth(17208): [PhoneNumberAuthPostProcessor] postProcess starts
05-31 15:31:15.651: W/FirebaseAuth(17208): [PhoneNumberAuthPostProcessor] postProcess ends
05-31 15:31:15.656: E/propClient(4592): PropClient failed to load
05-31 15:31:15.658: E/AuthUI(3596): A sign-in error occurred.
05-31 15:31:15.658: E/AuthUI(3596): com.google.firebase.FirebaseTooManyRequestsException: The sms quota for this project has been exceeded. [ Exceeded quota for verifying passwords. ]
05-31 15:31:15.658: E/AuthUI(3596):     at com.google.firebase.auth.api.internal.zzds.zzb(Unknown Source:31)
05-31 15:31:15.658: E/AuthUI(3596):     at com.google.firebase.auth.api.internal.zzew.zza(Unknown Source:11)
05-31 15:31:15.658: E/AuthUI(3596):     at com.google.firebase.auth.api.internal.zzeo.zzc(Unknown Source:33)
05-31 15:31:15.658: E/AuthUI(3596):     at com.google.firebase.auth.api.internal.zzep.onFailure(Unknown Source:49)
05-31 15:31:15.658: E/AuthUI(3596):     at com.google.firebase.auth.api.internal.zzdy.dispatchTransaction(Unknown Source:18)
05-31 15:31:15.658: E/AuthUI(3596):     at com.google.android.gms.internal.firebase_auth.zzb.onTransact(Unknown Source:12)
05-31 15:31:15.658: E/AuthUI(3596):     at android.os.Binder.execTransact(Binder.java:682)
05-31 15:31:15.664: E/propClient(4596): PropClient failed to load
05-31 15:31:15.664: E/propClient(4594): PropClient failed to load
05-31 15:31:15.670: W/WBPasswordHandler(3596): signInWithEmailAndPassword failed.
05-31 15:31:15.670: W/WBPasswordHandler(3596): com.google.firebase.FirebaseTooManyRequestsException: The sms quota for this project has been exceeded. [ Exceeded quota for verifying passwords. ]
05-31 15:31:15.670: W/WBPasswordHandler(3596):  at com.google.firebase.auth.api.internal.zzds.zzb(Unknown Source:31)
05-31 15:31:15.670: W/WBPasswordHandler(3596):  at com.google.firebase.auth.api.internal.zzew.zza(Unknown Source:11)
05-31 15:31:15.670: W/WBPasswordHandler(3596):  at com.google.firebase.auth.api.internal.zzeo.zzc(Unknown Source:33)
05-31 15:31:15.670: W/WBPasswordHandler(3596):  at com.google.firebase.auth.api.internal.zzep.onFailure(Unknown Source:49)
05-31 15:31:15.670: W/WBPasswordHandler(3596):  at com.google.firebase.auth.api.internal.zzdy.dispatchTransaction(Unknown Source:18)
05-31 15:31:15.670: W/WBPasswordHandler(3596):  at com.google.android.gms.internal.firebase_auth.zzb.onTransact(Unknown Source:12)
05-31 15:31:15.670: W/WBPasswordHandler(3596):  at android.os.Binder.execTransact(Binder.java:682)
05-31 15:31:15.673: E/propClient(4595): PropClient failed to load
05-31 15:31:15.674: E/propClient(4592): PropClient failed to load
05-31 15:31:15.704: E/propClient(4598): PropClient failed to load
05-31 15:31:15.714: I/HWComposer(702): getActiveConfigs: Attempted to access invalid display -1
05-31 15:31:15.721: E/propClient(4601): PropClient failed to load
05-31 15:31:15.723: E/propClient(4600): PropClient failed to load
05-31 15:31:15.730: E/propClient(4599): PropClient failed to load
05-31 15:31:15.730: I/HWComposer(702): getActiveConfigs: Attempted to access invalid display -1
05-31 15:31:15.763: E/propClient(4603): PropClient failed to load
05-31 15:31:15.858: E/propClient(4604): PropClient failed to load
05-31 15:31:15.896: D/ConnectivityService(1398): filterNetworkStateForUid() uid: 10220 networkInfo: [type: WIFI[] - WIFI, state: CONNECTED/CONNECTED, reason: (unspecified), extra: "wl-ftl-mt44-1-5", failover: false, available: true, roaming: false, metered: false]
05-31 15:31:15.902: E/propClient(4605): PropClient failed to load
05-31 15:31:15.904: W/StorageManager(1398): getStorageLowBytes lowPercent : 5, lowBytes : 2803014860, maxLowBytes : 524288000

Expected Results:

The app signs in successfully using FirebaseUI.

Relevant Code:

These are the library versions I'm using:

// Firebase UI 
implementation("com.firebaseui:firebase-ui-auth:4.2.1") 
implementation("com.facebook.android:facebook-login:4.38.0") 

// Firebase 
implementation("com.google.firebase:firebase-core:16.0.8") 
implementation("com.google.firebase:firebase-messaging:17.6.0") 
implementation("com.google.firebase:firebase-config:16.5.0") 

[francos]

I initially reported this to the Firebase SDK team and after several emails, they said that this was an issue in FirebaseUI (this seems weird to me as it sounds like an issue in the Firebase SDK, but creating the ticket here as they indicated).

[lion4ik]

@FrancoSabadini have you resolved the issue? Looks like I have the same problem!

[francos]

@lion4ik no I haven't and there have been no answers from the FirebaseUI team so far.

[samtstern]

@FrancoSabadini really sorry about the slow response here! That's my fault.

@lsirac can you help me figure out what backend quota this is and how we can avoid it?

[francos]

Hi @samtstern, any news on this?

[lion4ik]

@samtstern could you please clarify me about limits on sign in? Does firebase auth has any limits on how many sign ins could be processed per hour?

[ageblade]

Any news on this?

[parthanjaria]

Is there any update on this? I am still getting this issue.

[bennylu]

Same here. Sign in with email authentication, but got sms quota exceeded messages.

AuthChimeraService: Error description received from server: QUOTA_EXCEEDED : Exceeded quota for verifying passwords.

com.google.firebase.FirebaseTooManyRequestsException: The sms quota for this project has been exceeded. [ Exceeded quota for verifying passwords. ] at com.google.firebase.auth.api.internal.zzeh.zza(com.google.firebase:firebase-auth@@19.3.0:31) at com.google.firebase.auth.api.internal.zzfo.zza(com.google.firebase:firebase-auth@@19.3.0:21) at com.google.firebase.auth.api.internal.zzfe.zza(com.google.firebase:firebase-auth@@19.3.0:34) at com.google.firebase.auth.api.internal.zzfg.zza(com.google.firebase:firebase-auth@@19.3.0:74) at com.google.firebase.auth.api.internal.zzen.zza(com.google.firebase:firebase-auth@@19.3.0:18) at com.google.android.gms.internal.firebase_auth.zza.onTransact(com.google.firebase:firebase-auth@@19.3.0:13) at android.os.Binder.execTransactInternal(Binder.java:1021) at android.os.Binder.execTransact(Binder.java:994)

[justintien]

Today, I also got QUOTA_EXCEEDED : Exceeded quota for verifying passwords....why? My code no change...before work many time...until today...

[jcbowman]

I have the same issue that seems to have started yesterday. I'm not sure it is SMS related, but I don't see any other login quotas documented so its hard to say for sure what the issue is.

When using this endpoint we sometimes get the error below:

https://www.googleapis.com/identitytoolkit/v3/relyingparty/verifyPassword

{
  "error": {
    "code": 400,
    "message": "QUOTA_EXCEEDED : Exceeded quota for verifying passwords.",
    "errors": [
      {
        "message": "QUOTA_EXCEEDED : Exceeded quota for verifying passwords.",
        "domain": "global",
        "reason": "invalid"
      }
    ]
  }
}

[justintien]

I have the same issue that seems to have started yesterday. I'm not sure it is SMS related, but I don't see any other login quotas documented so its hard to say for sure what the issue is.

When using this endpoint we sometimes get the error below:

https://www.googleapis.com/identitytoolkit/v3/relyingparty/verifyPassword

{
  "error": {
    "code": 400,
    "message": "QUOTA_EXCEEDED : Exceeded quota for verifying passwords.",
    "errors": [
      {
        "message": "QUOTA_EXCEEDED : Exceeded quota for verifying passwords.",
        "domain": "global",
        "reason": "invalid"
      }
    ]
  }
}

I use endpoint: https://identitytoolkit.googleapis.com/v1/accounts:signInWithPassword also got this error.

[keithgallant]

We just started seeing the same error yesterday middle of the day with our web app which is developed in angular. When we look at our actual usage we are no where near our quotas from what we can tell.

[rosalyntan]

We are tracking this internally at b/157950613.

[samtstern]

To add on to what @rosalyntan said there are a few things going on here:

• The error message is wrong. The Auth SDK always mentions "sms" when it gets a quota error from the backend even when the quota that was hit is not an SMS-related quota. We'll fix that.
• We are investigating the deeper issue of why so many people are hitting unexpected quotas, thank you all for reporting this! Your persistence made us realize there was something fishy going on here.

[tonyh-fff]

found this via googling, I am getting a similiar error when I use a nodejs app to send messages to PubSub.. the messages are subsquently processed, and inserted into Firestore.

[sakuradasb]

I am getting a same error from when our website nodejs call email authentication. Firebase SDK returns the message "Exceeded quota for verifying passwords.".

Thousands of our website "https://dasshutsu.games/" users are having trouble playing the games.

I hope this problem will be fixed quickly.

[mksmzpsv]

@sakuradasb I have the same problem in my integration tests where I use Firebase NodeJS (client). My code hasn't changed for weeks and it worked. In my case, it happens when I call the firebase.auth().signInWithEmailAndPassword method. I didn't have any issues with quotas before.

[Jplus2]

I too am getting this error just today, seemed to work ok before. No code changes on my end.

'QUOTA_EXCEEDED : Exceeded quota for verifying passwords.'

[mbazalik]

Coming here from google as well :)

In one of our apps running Firebase RealtimeDatabase on a Spark plan, we are experiencing the same issue while calling firebase.auth().signInWithEmailAndPassword(email, password).

The issue occurred yesterday at 2020-06-03T15:42:53.070Z with the following exception:

{
    "errorType": "Error",
    "errorMessage": "Exceeded quota for verifying passwords.",
    "code": "auth/quota-exceeded",
    "message": "Exceeded quota for verifying passwords."
}

We are connecting to Firebase from AWS Lambda, therefore under higher load, we can expect multiple signInWithEmailAndPassword calls in parallel.

I was not able to find details about this quota. Is this documented somewhere? As well, is this quota depending on Plan (are we going to remove the issue with Upgrade to Flame and Blaze plan), or is it a kind of security limit which we are not able to affect?

Thank you very much

Marian

[jkohlbach]

@rosalyntan thanks for raising this internally... any updates? This is a huge problem, just surprised this hasn't been solved yet.

[bojeil-google]

Hey folks, can you file an issue via support? That is the right place for issues like this and where sensitive project information needs to be shared. This would make it easier to lookup your project and figure out the issue exactly. At a macro level, we are not seeing anything unusual.

[jkohlbach]

@bojeil-google I already have... here was the answer (which is unacceptable imho):

Hi Josh,

My name is Triana from the Firebase support team, I will be happy to help here !

For the error you are facing "Exceeded quota for verifying passwords", this usually happens when one sends requests for verifying passwords or password login requests too many times at once (more than 20 requests per second per IP address or 25 requests per 10 min per account). When we get a huge amount of requests in a short period of time, the limit is applied automatically to protect our servers.

This is an internal quota (regardless of pricing plans) enforced by Firebase Authentication to prevent abuse when making authentication requests, for this reason the quota can change without notice.

In order to avoid triggering this alert, you can do the following actions:

1. Use a different IP address.

2.Backing off the number of requests per minute to something like 10-20, to avoid triggering the automated abuse detection.

3. Reduce the frequency of attempts.

20 requests per MINUTE?! Really?

This basically makes Firebase Auth unsuitable for:

1. Automated testing
2. CI/CD

I'm gonna go out on a limb here and suggest that Google's infrastructure could handle more login requests than that per microsecond.

[bojeil-google]

If you are sending too many requests in a short period of time from the same IP address, then there is an expectation that you will get throttled at some point. It may suck for your integration tests but there is a security benefit that comes with that. The easier it is for you to test, the easier it is for malicious scripts to be written too against your project. We have similar integration tests in other firebase auth libraries (client and admin) and we try to work with the limit. This is true for all services. It is not unique to Firebase or Google.

If you have a legitimate need to increase the limit, then you can file a bug with support and make a case for that. You could even file for a feature request to whitelist calls from certain IP addresses, etc.

[jkohlbach]

You could even file for a feature request to whitelist calls from certain IP addresses, etc.

This would definitely be well received.

[bennylu]

In my case, a predefined email account is set, and have all app users share the same account to access Firebase Database. (Allowing anonymous signin is not suitable for me)

This works for years until we got 'Exceeded quota for verifying passwords.' recently.

[justintien]

Google support no response this?

[samtstern]

The team has determined that a new server rollout has changed how quota is counted and has confirmed that there are elevated rates of quota denial. They're working on a way to mitigate this issue!

[lsamaria]

Is there an update to this problem? I'm using SMS verification in an iOS app and made a loop mistake where I entered an incorrect SMS code for testing phone number and the loop caused Auth to keep trying to sign in. It probably ran hundreds of times before I realized the error. Anyway after I fixed it and tried to sign back in with a correct SMS code I get the same error as everyone else The sms quota for this project has been exceeded.

Because I'm using a testing phone number, shouldn't this problem be avoided?

[MeghaB]

@lsamaria - Have you 'whitelisted the test phone number' and registered this as a test phone number?

[lsamaria]

@MeghaB yes I did, that's what I meant by "I'm using a testing phone number"

[MeghaB]

@lsamaria If you go file a support ticket via Firebase Support, we'll be able to dig in more to the issue here!

[lsamaria]

@MeghaB thanks for the advice. I'll post a ticket tomorrow. Cheers!

[icodeyou]

I've got the same issue. I exceeded the quota even if I send 36 SMS a month (the limit should be 10 000) Any update ?

[vincent-heatseekr]

Having the same issue. All was working fine then it spontaneously started happening.

[mikezliu]

I am seeing this issue when calling getIdToken() from an android application. How should we mitigate this? Caching the id token leads to complexity on when to refresh it, and it should be handled by firebase. I need to get the id token before making server api calls, so this is used quite frequently.

[drinkius]

The same issue with Android SDK for our project as well

[mhdalawieh]

Same issue on my firebase project, been working for more than a year without crossing the 10K/month sms verification limit and now suddenly i keep getting qouta exceeded

[aromano272]

We're having the same issue on Android, when is this going to get solved?

[santosTest]

Same problem for our project. 2 years using it and now we get this quota exceeded, which I find hard to believe because our number of logins with phone number is about 30/day

[Julian-IronForge]

I am seeing this issue when calling getIdToken() from an android application. How should we mitigate this? Caching the id token leads to complexity on when to refresh it, and it should be handled by firebase. I need to get the id token before making server api calls, so this is used quite frequently.

I'm also experiencing this issue currently. However, it appears randomly, even when I am nowhere near using the quota. Very very annoying for development.

[kartikwatwani]

@samtstern Unable to develop an app with a phone auth provider as the logs show SMS quota exceeded but I am using test number.

[Kashif-E]

FirebaseAuth: [SmsRetrieverHelper] SMS verification code request failed: unknown status code: 17052 Exceeded quota. i am facing this issue every thing was working fine and all of a sudden this happened

[PipoLucido]

Same here: 17052 Exceeded per phone number quota for sending verification codes. I just use test numbers. but when i tried a nontest number this happend

[Yevgen-Nar]

Я сегодня столкнулся с той же ошибкой (The sms quota for this projact has been exceeded Exceeded per phone number quota for sending verification codes). но для тестирования проекта помогает включение vpn , тогда все работает.

[PipoLucido]

Same here: 17052 Exceeded per phone number quota for sending verification codes. I just use test numbers. but when i tried a nontest number this happend

solved, problem was that i try to send code message once and once without the resend token

[vasu2k]

FirebaseAuth: [SmsRetrieverHelper] SMS verification code request failed: unknown status code: 17052 Exceeded quota. i am facing this issue every thing was working fine and all of a sudden this happened

[RajPri]

i face the same, Can any please share how this was resolved?