Rate limit on Projects API
DETAILS: Tier: Free, Premium, Ultimate Offering: Self-managed
- Introduced in GitLab 15.10 with a flag named
rate_limit_for_unauthenticated_projects_api_access. Disabled by default.- Enabled on GitLab.com on May 08, 2023.
- Enabled on self-managed in GitLab 16.0 by default.
- Generally available in GitLab 16.0. Feature flag
rate_limit_for_unauthenticated_projects_api_accessremoved.- Rate limit for group and projects API introduced in GitLab 17.1. with a flag named
rate_limit_groups_and_projects_api. Disabled by default.
You can configure the rate limit per IP address and per user for requests to the following projects API.
| Limit | Default | Interval |
|---|---|---|
| GET /projects (unauthenticated requests) | 400 | 10 minutes |
| GET /projects (authenticated requests) | 2000 | 10 minutes |
| GET /projects/:id | 400 | 1 minute |
| GET /users/:user_id/projects | 300 | 1 minute |
| GET /users/:user_id/contributed_projects | 100 | 1 minute |
| GET /users/:user_id/starred_projects | 100 | 1 minute |
To change the rate limit:
- On the left sidebar, at the bottom, select Admin.
- Select Settings > Network.
- Expand Projects API rate limits.
- Change the value of any rate limit. The rate limits are per minute per user for authenticated requests and per IP address unauthenticated requests.
Set to
0to disable a rate limit. - Select Save changes.
The rate limits:
- Apply per user if the user is authenticated.
- Apply per IP address if the user is unauthenticated.
- Can be set to 0 to disable rate limiting.
- Are behind the
rate_limit_groups_and_projects_apiexcept for the unauthenticated requests to theGET /projectsAPI.
Requests over the rate limit are logged into the auth.log file.
For example, if you set a limit of 400 for GET /projects/:id, requests to the API endpoint that
exceed a rate of 400 within 1 minutes are blocked. Access to the endpoint is restored after one minutes have elapsed.