Rate Limits and Scaling with Cloudsmith

Cloudsmith applies rate limits to ensure reliability, security and consistent performance for all users. These limits help protect against abusive or accidental overuse. Most users will never encounter rate limits, and if your workloads require more capacity, we’ll adjust them. Contact us and we’ll work with you to configure limits to match your requirements.

Cloudsmith Web App and API

Cloudsmith applies default request limits based on how you access the platform. Authenticated usage is the preferred way to use Cloudsmith. It provides higher throughput, better security, and a more reliable experience for production workloads.

The table below shows the baseline defaults:

DescriptionRate Limit
Non-authenticated/anonymous users (by IP address) via API1,800 req/hour (0.5 req/sec)
Authenticated users on a Core plan via API5,400 req/hour (1.5 req/sec)
Authenticated users on a Pro or Velocity plans via API10,800 req/hour (3 req/sec)
Authenticated users on an Ultra or Enterprise plans via APICustom rate limits apply
Authenticated app.cloudsmith.com usage10,800 req/hour (3 req/sec)
Package downloads via default domain120,000 req/hour (33.33 req/sec)
Package downloads via custom domainCustom rate limits apply

Package Metadata APIs

Cloudsmith provides native endpoints for different package formats (for example, npm, Docker, Maven, NuGet, and more). These endpoints have a default throttle of 1,512,000 requests per hour (per region, per user, and per organisation). This can be customised dynamically, applying to all package formats.

📘

Need higher limits?

Cloudsmith regularly customizes limits to support customer use cases. If your workloads need more capacity, contact our team and we'll be happy to adjust limits to fit your needs.

Monitoring your usage

Each API response includes headers to help you monitor and manage usage. These can be used in automated workflows to prevent disruptions and optimize performance:

HeaderMeaningExample
X-RateLimit-LimitThe maximum number of requests that the client is permitted to send per hour.600
X-RateLimit-RemainingThe number of requests that are remaining in the current rate limit window.588
X-RateLimit-ResetThe UTC epoch timestamp at which the current rate limit window will reset.1485706850
X-RateLimit-IntervalThe time in seconds that client is suggested to wait until the next request in order to avoid consuming too much within the rate limit window.0.98256663893

Let's see it in action:

curl -i http://api.cloudsmith.io/user/self/

HTTP/1.0 200 OK
X-RateLimit-Interval: 60.0
X-RateLimit-Limit: 600
X-RateLimit-Remaining: 599
X-RateLimit-Reset: 1485712175
Date: Tue, 5 Aug 2025 12:34:56 GMT

If the client has exceeded the rate limit in a particular rate limit window a 429 Too Many Requests status code will be sent instead of acting upon the request. The body response will be JSON encoded and include a detail message:

curl -i http://api.cloudsmith.io/user/self/

HTTP/1.0 429 Too Many Requests
Allow: GET, OPTIONS
Content-Type: application/json
Retry-After: 3304
Vary: Cookie
x-content-type-options: nosniff
X-Frame-Options: SAMEORIGIN
X-RateLimit-Interval: 3303.55762601
X-RateLimit-Limit: 1
X-RateLimit-Remaining: 0
X-RateLimit-Reset: 1485712175
Date: Sun, 29 Jan 2017 16:54:30 GMT

{
  "detail": "Request was throttled. Expected available in 3304.0 seconds."
}

Scaling with Cloudsmith

Our goal is to give every team a reliable, predictable platform that can meet its needs, without surprises. Rate limits protect Cloudsmith and our users. If your workflows require more capacity, we’ll work with you to ensure you always have the limits you need.

Cloudsmith is the new standard in Package / Artifact Management and Software Distribution

With support for all major package formats, you can trust us to manage your software supply chain.


Start My Free Trial Now
Cookie Declaration (Manage Cookies)