Rate limits on Users API
- Tier: Free, Premium, Ultimate
- Offering: GitLab Self-Managed
Version history
- Rate limits for Users API introduced in GitLab 17.1 with a flag named
rate_limiting_user_endpoints. Disabled by default. - Added customizable rate limits in GitLab 17.10.
You can configure the per minute rate limit per IP address and per user for requests to the following Users API.
The availability of this feature is controlled by a feature flag. For more information, see the history. This feature is available for testing, but not ready for production use.
| Limit | Default |
|---|---|
| GET /users/:id/followers | 100 each minute |
| GET /users/:id/following | 100 each minute |
| GET /users/:id/status | 240 each minute |
| GET /users/:id/keys | 120 each minute |
| GET /users/:id/keys/:key_id | 120 each minute |
| GET /users/:id/gpg_keys | 120 each minute |
| GET /users/:id/gpg_keys/:key_id | 120 each minute |
To change the rate limit:
- On the left sidebar, at the bottom, select Admin.
- Select Settings > Network.
- Expand Users API rate limit.
- Set values for any available rate limit. The rate limits are per minute, per user for authenticated requests and per IP address for unauthenticated requests. Enter
0to disable a rate limit. - Select Save changes.
Each rate limit:
- Applies per user if the request is authenticated.
- Applies per IP address if the request is unauthenticated.
- Can be set to
0to disable rate limits.
Logs:
- Requests that exceed the rate limit are logged to the
auth.logfile. - Rate limit modifications are logged to the
audit_json.logfile.
Example:
If you set a rate limit of 150 for GET /users/:id/followers and send 155 requests in a minute, the
final five requests are blocked. After a minute, you could continue sending requests until you
exceed the rate limit again.