Rate limits on Users API

  • Tier: Free, Premium, Ultimate
  • Offering: GitLab Self-Managed
History

You can configure the per minute rate limit per IP address and per user for requests to the following Users API.

The availability of this feature is controlled by a feature flag. For more information, see the history. This feature is available for testing, but not ready for production use.

LimitDefault
GET /users/:id/followers100 every minute
GET /users/:id/following100 every minute
GET /users/:id/status240 every minute
GET /users/:id/keys120 every minute
GET /users/:id/keys/:key_id120 every minute
GET /users/:id/gpg_keys120 every minute
GET /users/:id/gpg_keys/:key_id120 every minute

To change the rate limit:

  1. On the left sidebar, at the bottom, select Admin.
  2. Select Settings > Network.
  3. Expand Users API rate limit.
  4. Set values for any available rate limit. The rate limits are per minute, per user for authenticated requests and per IP address for unauthenticated requests. Enter 0 to disable a rate limit.
  5. Select Save changes.

Each rate limit:

  • Applies per user if the request is authenticated.
  • Applies per IP address if the request is unauthenticated.
  • Can be set to 0 to disable rate limits.

Logs:

  • Requests that exceed the rate limit are logged to the auth.log file.
  • Rate limit modifications are logged to the audit_json.log file.

Example:

If you set a rate limit of 150 for GET /users/:id/followers and send 155 requests in a minute, the final five requests are blocked. After a minute, you could continue sending requests until you exceed the rate limit again.