API Intro + Rate Limits (SaaS)

Configuring rate limits

• Use case: Rate limits prevent denial-of-service or brute-force attacks. IP blocks usually happen when GitLab.com receives unusual traffic from a single IP address that the system views as potentially malicious based on rate limit settings.
• Benefit: They improve the security and durability of your application.
• Get started: Configure GitLab.com-specific rate limits in your admin settings.

GitLab.com-specific block responses

• “403 forbidden” error: If it’s associated with all GitLab.com requests, look for an automated process that could’ve triggered a block. For further assistance, provide GitLab support with the error details—including the affected IP address.
• HAProxy API throttle: GitLab.com responds with HTTP status code 429 to API requests that exceed 10 requests per second, per IP address.
• Protected paths throttle: GitLab.com responds with HTTP status code 429 to POST requests at protected paths that exceed 10 requests per minute, per IP address.
• Git and container registry failed authentication ban: GitLab.com responds with HTTP status code 403 for one hour if it receives 30 failed authentication requests within three minutes from a single IP address.

Your rate limit checklist

• Review our rate limit page.
• Read our API docs to learn more.