Rate limits on Users API
{{< details >}}
- Tier: Free, Premium, Ultimate
- Offering: GitLab Self-Managed
{{< /details >}}
{{< history >}}
- Rate limits for Users API introduced in GitLab 17.1 with a flag named
rate_limiting_user_endpoints. Disabled by default. - Added customizable rate limits in GitLab 17.10.
{{< /history >}}
You can configure the per minute rate limit per IP address and per user for requests to the following Users API.
{{< alert type=”flag” >}}
The availability of this feature is controlled by a feature flag. For more information, see the history. This feature is available for testing, but not ready for production use.
{{< /alert >}}
| Limit | Default |
|---|---|
| GET /users/:id/followers | 100 each minute |
| GET /users/:id/following | 100 each minute |
| GET /users/:id/status | 240 each minute |
| GET /users/:id/keys | 120 each minute |
| GET /users/:id/keys/:key_id | 120 each minute |
| GET /users/:id/gpg_keys | 120 each minute |
| GET /users/:id/gpg_keys/:key_id | 120 each minute |
To change the rate limit:
- On the left sidebar, at the bottom, select Admin.
- Select Settings > Network.
- Expand Users API rate limit.
- Set values for any available rate limit. The rate limits are per minute, per user for authenticated requests and per IP address for unauthenticated requests. Enter
0to disable a rate limit. - Select Save changes.
Each rate limit:
- Applies per user if the request is authenticated.
- Applies per IP address if the request is unauthenticated.
- Can be set to
0to disable rate limits.
Logs:
- Requests that exceed the rate limit are logged to the
auth.logfile. - Rate limit modifications are logged to the
audit_json.logfile.
Example:
If you set a rate limit of 150 for GET /users/:id/followers and send 155 requests in a minute, the
final five requests are blocked. After a minute, you could continue sending requests until you
exceed the rate limit again.