Running VIP Authentication Hub with CA API Gateway in front, is there a limit to how many simultaneous tokens requests the API Gateway can handle, as well as the rate limit values that apply to the /oauth2/v1/token, /iarisk/v1/UserRiskScoreEvaluator, and /iarisk/v1/PostUserRiskScoreEvaluator APIs?

The VIP Authentication Hub doesn't impose such a limit rate, but the environment should be tuned in amount to avoid DDOS attack by configuring the nginx (1).

As per the best practice, have the rate limit be handled by a network component (e.g. WAF) that sits in front of the VIP Authentication Hub (e.g. Cloudflare).

1. Security Considerations