Cloudsmith applies rate limits to protect platform reliability and security, and to ensure predictable performance for all users. These safeguards prevent abusive or accidental overuse and help customers avoid unexpected costs.
Our platform is built to scale with your needs. If your workloads require higher limits, we’ll adjust them. Just contact us and we’ll work with you to set the right limits for your use case.
Cloudsmith Web App and API
Cloudsmith applies default request limits based on how you access the platform. Authenticated usage is the preferred way to use Cloudsmith. It provides higher throughput, better security, and a more reliable experience for production workloads.
The table below shows the baseline defaults:
| Description | Rate Limit |
|---|---|
| Non-authenticated/anonymous users (by IP address) via API | 1,800 req/hour (0.5 req/sec) |
| Authenticated users with on Core plans via API | 5,400 req/hour (1.5 req/sec) |
| Authenticated users on Pro and Velocity plans via API | 10,800 req/hour (3 req/sec) |
| Authenticated users on Ultra or Enterprise plans via API | Custom rate limits apply |
| Authenticated users via app.cloudsmith.com | 10,800 req/hour (3 req/sec) |
| Default download domains | 120,000 req/hour (33.33 req/sec) |
| Custom download domains | Custom rate limits apply |
Package Metadata APIs
Cloudsmith provides native endpoints for different package formats (for example, npm, Docker, Maven, NuGet, and more). These endpoints have a default throttle of 1,512,000 requests per hour (per region, per user, and per organisation). This can be customised dynamically, applying to all package formats.
Need higher limits?
Cloudsmith regularly customizes limits to support customer use cases. If your workloads need more capacity, contact our team and we'll be happy to adjust limits to fit your needs.
Every API response includes headers to help you monitor and manage usage. These can be used in automated workflows to prevent disruptions and optimize performance:
| Header | Meaning | Example |
|---|---|---|
X-RateLimit-Limit | The maximum number of requests that the client is permitted to send per hour. | 600 |
X-RateLimit-Remaining | The number of requests that are remaining in the current rate limit window. | 588 |
X-RateLimit-Reset | The UTC epoch timestamp at which the current rate limit window will reset. | 1485706850 |
X-RateLimit-Interval | The time in seconds that client is suggested to wait until the next request in order to avoid consuming too much within the rate limit window. | 0.98256663893 |
Let's see it in action:
curl -i http://api.cloudsmith.io/user/self/
HTTP/1.0 200 OK
X-RateLimit-Interval: 60.0
X-RateLimit-Limit: 600
X-RateLimit-Remaining: 599
X-RateLimit-Reset: 1485712175
Date: Sun, 29 Jan 2017 16:49:34 GMT
If the client has exceeded the rate limit in a particular rate limit window a 429 Too Many Requests status code will be sent instead of acting upon the request. The body response will be JSON encoded and include a detail message:
curl -i http://api.cloudsmith.io/user/self/
HTTP/1.0 429 Too Many Requests
Allow: GET, OPTIONS
Content-Type: application/json
Retry-After: 3304
Vary: Cookie
x-content-type-options: nosniff
X-Frame-Options: SAMEORIGIN
X-RateLimit-Interval: 3303.55762601
X-RateLimit-Limit: 1
X-RateLimit-Remaining: 0
X-RateLimit-Reset: 1485712175
Date: Sun, 29 Jan 2017 16:54:30 GMT
{
"detail": "Request was throttled. Expected available in 3304.0 seconds."
}
Our goal is to give every team a reliable, predictable platform that can meet its needs, without surprises. Rate limits protect Cloudsmith and our users. If your workflows require more capacity, we’ll work with you to ensure you always have the limits you need.