Rate limits
Anonymous public API requests are rate limited per visitor IP. Requests with a valid API key use the key as the rate-limit identity and receive higher limits.
Default buckets
Section titled “Default buckets”| Bucket | Default per minute | Applies to |
|---|---|---|
global | 600 | All public requests covered by a route policy |
html | 240 | Public HTML pages |
read | 600 | General public API reads |
search | 180 | /api/repos search requests with q |
search_suggest | 120 | /api/search/suggest |
heavy | 180 | Metrics endpoints |
embed | 120 | Embed endpoints |
mutation | 60 | Public non-GET API operations |
bot | 120 | Requests with bot-like user agents |
Authenticated public API requests currently receive five times the listed bucket limit.
Headers
Section titled “Headers”Rate-limited and successful public API responses can include:
RateLimit-LimitRateLimit-RemainingRateLimit-ResetRateLimit-PolicyX-RateLimit-LimitX-RateLimit-RemainingX-RateLimit-ResetX-RateLimit-BucketX-RateLimit-AuthenticatedRetry-AfterHandling 429
Section titled “Handling 429”If you receive 429, wait at least Retry-After seconds before retrying. Clients that ignore this will continue to hit the same one-minute window.