Rate limits on Projects API

{{< details >}}

• Tier: Free, Premium, Ultimate
• Offering: GitLab Self-Managed, GitLab Dedicated

{{< /details >}}

[!note] When upgrading to GitLab 18.0 or later, configurable rate limits for this API are set to 0. Administrators can adjust rate limits as needed. For information about which rate limits are affected, see Rate limitations announced for Projects, Groups, and Users APIs.

Configure Projects API rate limits

{{< history >}}

• Generally available in GitLab 16.0. Feature flag rate_limit_for_unauthenticated_projects_api_access removed.
• Introduced rate limit for the group and projects API in GitLab 17.1 with a flag named rate_limit_groups_and_projects_api. Disabled by default.
• Generally available in GitLab 18.1. Feature flag rate_limit_groups_and_projects_api removed.

{{< /history >}}

Configure the rate limit for each IP address and user for requests to the following Projects API endpoints:

Limit	Default	Interval
GET /projects (unauthenticated requests)	400	10 minutes
GET /projects (authenticated requests)	2000	10 minutes
GET /projects/:id	400	1 minute
GET /users/:user_id/projects	300	1 minute
GET /users/:user_id/contributed_projects	100	1 minute
GET /users/:user_id/starred_projects	100	1 minute

Prerequisites:

• Administrator access.

To change the rate limit:

1. In the upper-right corner, select Admin.
2. Select Settings > Network.
3. Expand Projects API rate limits.
4. Change the value of a rate limit, or set a rate limit to 0 to disable it.
5. Select Save changes.

The rate limits:

• Apply to each authenticated user. If requests are not authenticated, rate limits apply to the IP address.

Requests over the rate limit are logged into the auth.log file.

For example, if you set a limit of 400 for GET /projects/:id, requests to the API endpoint that exceed a rate of 400 requests per minute are blocked. Access to the endpoint is restored after one minute.

For more information about project API endpoints, see the projects API.

Configure rate limits on deleting project members

{{< history >}}

• Introduced in GitLab 16.9.

{{< /history >}}

Configure the rate limit for each project and user for requests to the delete members endpoint.

Prerequisites:

• Administrator access.

To change the rate limit:

1. In the upper-right corner, select Admin.
2. Select Settings > Network.
3. Expand Members API rate limit.
4. In the Maximum requests per minute per group / project text box, enter a value.
5. Select Save changes.

The rate limit:

• Defaults to 60 requests every minute
• Applies for each project and user.
• Can be set to 0 to disable the rate limit.

Requests over the rate limit are logged into the auth.log file.

For example, if you set a limit of 60, requests to the API endpoint that exceed a rate of 60 requests per minute are blocked. Access to the endpoint resumes after one minute.

Configure rate limits on listing project members

{{< history >}}

• Introduced in GitLab 18.6.

{{< /history >}}

Configure the rate limit for requests to the list project members endpoint.

Both the GET /projects/:id/members/all and GET /groups/:id/members/all API endpoints share the same rate limit configuration. If you set a rate limit on the projects endpoint, the rate limit applies also to the groups endpoint.

Prerequisites:

• Administrator access.

To change the rate limit:

1. In the upper-right corner, select Admin.
2. Select Settings > Network.
3. Expand Projects API rate limits.
4. In the Maximum requests to the GET /projects/:id/members/all API per minute per user or IP address text box, enter a value.
5. Select Save changes.

The rate limit:

• Defaults to 200 requests every minute.
• Applies to each project and user.
• Can be set to 0 to disable rate limits.

Requests over the rate limit are logged into the auth.log file.

For example, if you set a limit of 200, requests to the API endpoint that exceed a rate of 200 requests per minute are blocked. Access to the endpoint resumes after one minute.