Rate limits on Users API - Gitlabhq

Tier: Free, Premium, Ultimate
Offering: GitLab Self-Managed, GitLab Dedicated

Rate limits for Users API introduced in GitLab 17.1 with a flag named rate_limiting_user_endpoints. Disabled by default.
Added customizable rate limits in GitLab 17.10.
Generally available in GitLab 18.1. Feature flag rate_limiting_user_endpoints removed.

[!note] When upgrading to GitLab 18.0 or later, configurable rate limits for this API are set to 0. Administrators can adjust rate limits as needed. For information about which rate limits are affected, see Rate limitations announced for Projects, Groups, and Users APIs.

You can configure the per minute rate limit per IP address and per user for requests to the following Users API.

Limit	Default
`GET /users/:id/followers`	100 each minute
`GET /users/:id/following`	100 each minute
`GET /users/:id/status`	240 each minute
`GET /users/:id/keys`	120 each minute
`GET /users/:id/keys/:key_id`	120 each minute
`GET /users/:id/gpg_keys`	120 each minute
`GET /users/:id/gpg_keys/:key_id`	120 each minute

Prerequisites:

Administrator access.

To change the rate limit:

In the upper-right corner, select Admin.
Select Settings > Network.
Expand Users API rate limit.
Set values for any available rate limit. The rate limits are per minute, per user for authenticated requests and per IP address for unauthenticated requests. Enter 0 to disable a rate limit.
Select Save changes.

Each rate limit:

Applies per user if the request is authenticated.
Applies per IP address if the request is unauthenticated.
Can be set to 0 to disable rate limits.

Logs:

Requests that exceed the rate limit are logged to the auth.log file.
Rate limit modifications are logged to the audit_json.log file.

Example:

If you set a rate limit of 150 for GET /users/:id/followers and send 155 requests in a minute, the final five requests are blocked. After a minute, you could continue sending requests until you exceed the rate limit again.