Blog Bulletin Board Rate limitations announced for Projects, Groups, and Users APIs
Published on: May 14, 2024
3 min read

Rate limitations announced for Projects, Groups, and Users APIs

Learn why these changes are being made, when they go into effect, and what to expect.

devsecops-automated-security.jpg

In recent months, we have observed that the frequency and intensity of requests made by users to the Projects, Groups, and Users APIs have increased significantly. This has resulted in an increased load on our servers, which has impacted the performance and stability of our platform for all users. To address this issue, we have decided to introduce rate limitations for all users. Starting with GitLab 17.3 (August 2024) for GitLab Self-managed and July for GitLab.com, all users will be subject to rate limitations when using the Projects, Groups, and Users APIs.

What are the Projects, Groups, and Users APIs?

The Projects and Groups APIs provide information about GitLab projects and groups, including name, description, and other metadata. The Users API provides information about GitLab users. These APIs are widely used by our community, including researchers, developers, and integrators, to retrieve and analyze information about GitLab projects, groups and users. We value this usage and aim to support it as much as possible.

Rate limitation details

All users of the Projects, Groups, and Users APIs will be rate-limited. The limits per endpoint are as follows:

Endpoint Rate limit per user or IP
GET /api/v4/users/:id/followers 100 requests per minute
GET /api/v4/users/:id/following 100 requests per minute
GET /api/v4/users/:user_id/status 240 requests per minute
GET /api/v4/users/:user_id/keys 120 requests per minute
GET /api/v4/users/:id/keys/:key_id 120 requests per minute
GET /api/v4/users/:id/gpg_keys 120 requests per minute
GET /api/v4/users/:id/gpg_keys/:key_id 120 requests per minute
GET /api/v4/users/:user_id/projects 300 requests per minute
GET /api/v4/users/:user_id/contributed_projects 100 requests per minute
GET /api/v4/users/:user_id/starred_projects 100 requests per minute
GET /api/v4/projects 2000 requests per 10 minutes
GET /api/v4/groups/:id/projects 600 requests per minute
GET /api/v4/projects/:id 400 requests per minute
GET /api/v4/groups 200 requests per minute
GET /api/v4/groups/:id 400 requests per minute

We rate-limit based on user for authenticated requests and based on IP for unauthenticated requests. We use the same value for both IP and user. The stated limits have been selected based on average usage patterns and should provide sufficient headroom for most use cases.

If a user exceeds this limit, the user will receive a "429 Too Many Requests" response. On GitLab.com, this limit cannot be changed. Users of GitLab Self-managed instances have the same rate limitation set by default, but admins can change the rate limits as they see fit via the UI or the application settings API. They can also set the rate limit to zero, which acts as if there is no rate limitation at all.

We understand that this change may impact some of our users who rely on the Projects, Groups, and Users APIs, and we apologize for any inconvenience this may cause.

If you have any questions or concerns about this change, please leave feedback in this issue.

We want to hear from you

Enjoyed reading this blog post or have questions or feedback? Share your thoughts by creating a new topic in the GitLab community forum. Share your feedback

Ready to get started?

See what your team could do with a unified DevSecOps Platform.

Get free trial

Find out which plan works best for your team

Learn about pricing

Learn about what GitLab can do for your team

Talk to an expert