ContextQMD
Back to Gitlabhq

Rate limits on Groups API

doc/administration/settings/rate_limit_on_groups_api.md

18.11.26.5 KB
Original Source

{{< details >}}

  • Tier: Free, Premium, Ultimate
  • Offering: GitLab Self-Managed, GitLab Dedicated

{{< /details >}}

[!note] When upgrading to GitLab 18.0 or later, configurable rate limits for this API are set to 0. Administrators can adjust rate limits as needed. For information about which rate limits are affected, see Rate limitations announced for Projects, Groups, and Users APIs.

Configure Groups API rate limits

{{< history >}}

  • Introduced rate limit for groups and projects API in GitLab 17.1 with a flag named rate_limit_groups_and_projects_api. Disabled by default.
  • Generally available in GitLab 18.1. Feature flag rate_limit_groups_and_projects_api removed.

{{< /history >}}

Configure the rate limit for each IP address and user for requests to the following Groups API endpoints:

LimitDefaultInterval
GET /groups2001 minute
GET /groups/:id4001 minute
GET /groups/:id/groups/shared01 minute
GET /groups/:id/invited_groups601 minute
GET /groups/:id/projects6001 minute
POST /groups/:id/archive601 minute

Prerequisites:

  • Administrator access.

To change the rate limit:

  1. In the upper-right corner, select Admin.
  2. Select Settings > Network.
  3. Expand Groups API rate limits.
  4. Change the value of any rate limit, or set a rate limit to 0 to disable it.
  5. Select Save changes.

The rate limits:

  • Apply to each authenticated user. If requests are not authenticated, rate limits apply to the IP address.
  • Can be set to 0 to disable rate limiting.

Requests over the rate limit are logged into the auth.log file.

For example, if you set a limit of 400 for GET /groups/:id, requests to the API endpoint that exceed a rate of 400 per minute are blocked. Access to the endpoint is restored after one minute.

Rate limit on listing group members

{{< history >}}

{{< /history >}}

A rate limit is set on the list all group members API endpoint.

Both the GET /projects/:id/members/all and GET /groups/:id/members/all API endpoints share the same rate limit configuration. If you set a rate limit on the projects endpoint, the rate limit applies also to the groups endpoint.

Prerequisites:

  • Administrator access.

To modify this rate limit for both endpoints:

  1. In the upper-right corner, select Admin.
  2. Select Settings > Network.
  3. Expand Projects API rate limits.
  4. In the Maximum requests to the GET /projects/:id/members/all API per minute per user or IP address text box, enter a value.
  5. Select Save changes.

The rate limit:

  • Defaults to 200 requests every minute.
  • Applies for each group and user.
  • Is configured through the Projects API rate limits settings. For more information, see Configure rate limits on listing project members.
  • Can be set to 0 to disable the rate limit for both endpoints.

Requests over the rate limit are logged into the auth.log file.

For example, requests to the API endpoint that exceed a rate of 200 requests per minute are blocked. Access to the endpoint resumes after one minute.

Configure rate limits on group archiving and unarchiving

{{< details >}}

  • Status: Experiment

{{< /details >}}

{{< history >}}

{{< /history >}}

Configure a rate limit on requests to the following group archiving endpoints:

plaintext
POST /groups/:id/archive
POST /groups/:id/unarchive

Prerequisites:

  • Administrator access.

To change the rate limit:

  1. In the upper-right corner, select Admin.
  2. Select Settings > Network.
  3. Expand Groups API rate limits.
  4. In the Maximum requests to the POST /groups/:id/archive and POST /groups/:id/unarchive API per minute per user or IP address text box, enter a value.
  5. Select Save changes.

The rate limit:

  • Defaults to 60 requests every minute
  • Apply to each authenticated user. If requests are not authenticated, rate limits apply to the IP address.
  • Can be set to 0 to disable rate limits for both endpoints

Requests over the rate limit are logged into the auth.log file.

For example, if you set a limit of 60, requests to the API endpoint that exceed a rate of 60 requests per minute are blocked. Access to the endpoint resumes after one minute.

For more information on group archiving endpoints, see Archive a group.

Configure rate limits on deleting group members

{{< history >}}

{{< /history >}}

Configure the rate limit for each group and user for requests to the delete members endpoint.

Prerequisites:

  • Administrator access.

To change the rate limit:

  1. In the upper-right corner, select Admin.
  2. Select Settings > Network.
  3. Expand Members API rate limit.
  4. In the Maximum requests per minute per group / project text box, enter a value.
  5. Select Save changes.

The rate limit:

  • Defaults to 60 requests every minute.
  • Applies for each group and user.
  • Can be set to 0 to disable the rate limit.

Requests over the rate limit are logged into the auth.log file.

For example, if you set a limit of 60, requests to the API endpoint that exceed a rate of 60 requests per a minute are blocked. Access to the endpoint is restored after one minute.