Skip to content

Update rate limit for authenticated API requests

John Jarvis requested to merge jarv/new-rate-limits into master

What does this MR do?

This iterates on rate limiting which was enabled in the last year on

This MR aligns our rate limits to what GitHub offers.

After discussion below, we have decided on a smaller iteration which will reduce the rate limit for authenticated api requests from 2k/min -> 1k/min.

Rate limits on the API is one of the best tools we have right now to avoid noisy-neighbor effects on Gitaly, that is causing disruption, and impacting our SLOs. Examples: gitlab-com/gl-infra/production#5037 (closed),

If approved, we will first implement these limits in dry-run to see the affected users, we may need to add some whitelisting, or reach out to customers.

Rate limits

Type GitLab GitHub GitLab Proposed
API per user 2000req/min 5000req/hour 1000req/min

Rollout plan

  • Get approval for the rate limit change
  • Run new rate limits in dry-run
  • Merge and communicate update
  • Apply rate limits

Screenshots (strongly suggested)

Does this MR meet the acceptance criteria?


Availability and Testing


Does this MR contain changes to processing or storing of credentials or tokens, authorization and authentication methods or other items described in the security review guidelines? If not, then delete this Security section.

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team
Edited by John Jarvis

Merge request reports