Updated rate limits for unauthenticated requests

GitHub answered <a href="https:&#x2F;&#x2F;github.com&#x2F;orgs&#x2F;community&#x2F;discussions&#x2F;159123#discussioncomment-13148279">https:&#x2F;&#x2F;github.com&#x2F;orgs&#x2F;community&#x2F;discussions&#x2F;159123#discuss...</a>

I don’t think the publication date (May 8, as I type this) on the GitHub blog article is the same date this change became effective.<p>From a long-term, clean network I have been consistently seeing these “whoa there!” secondary rate limit errors for over a month when browsing more than 2-3 files in a repo.<p>My experience has been that once they’ve throttled your IP under this policy, you cannot even reach a login page to authenticate. The docs direct you to file a ticket (if you’re a paying customer, which I am) if you consistently get that error.<p>I was never able to file a ticket when this happened because their rate limiter also applies to one of the required backend services that the ticketing system calls from the browser. Clearly they don’t test that experience end to end.

60 req&#x2F;hour for unauthenticated users<p>5000 req&#x2F;hour for authenticated - personal<p>15000 req&#x2F;hour for authenticated - enterprise org<p>According to <a href="https:&#x2F;&#x2F;docs.github.com&#x2F;en&#x2F;rest&#x2F;using-the-rest-api&#x2F;rate-limits-for-the-rest-api?apiVersion=2022-11-28" rel="nofollow">https:&#x2F;&#x2F;docs.github.com&#x2F;en&#x2F;rest&#x2F;using-the-rest-api&#x2F;rate-limi...</a><p>I bump into this just browsing a repo&#x27;s code (unauth).. seems like it&#x27;s one of the side effects of the AI rush.

Several people in the comments seem to be blaming Github for taking this step for no apparent reason.<p>Those of us who self-host git repos know that this is not true. Over at ardour.org, we&#x27;ve passed the 1M-unique-IP&#x27;s banned due to AI trawlers sucking our repository 1 commit at a time. It was killing our server before we put fail2ban to work.<p>I&#x27;m not arguing that the specific steps Github have taken are the right ones. They might be, they might not, but they do help to address the problem. Our choice for now has been based on noticing that the trawlers are always fetching commits, so we tweaked things such that the overall http-facing git repo works, but you cannot access commit-based URLs. If you want that, you need to use our github mirror :)

If a company the size of MS isn&#x27;t able handle the DOS caused by the LLM slurpers, then it really is game over for the open internet. We are going to need government approved ID based logins to even read the adverts at this rate.<p>But this feels like a further attempt to create a walled garden around &#x27;our&#x27; source code. I say our, but the first push to KYC, asking for phone numbers, was enough for me to delete all and close my account. Being on the outside, it feels like those walls get taller every month. I often see an interesting project mentioned on HN and clone the repo, but more and more times that is failing. Trying to browse online is now limited, and they recently disabled search without an account.<p>For such a critical piece of worldwide technology infrastructure, maybe it would be better run by a not-for-profit independent foundation. I guess, since it is just git, anyone could start this, and migration would be easy.

&gt; These changes will apply to operations like cloning repositories over HTTPS, anonymously interacting with our REST APIs, and downloading files from raw.githubusercontent.com.<p>Or randomly when clicking through a repository file tree. The first time I hit a rate limit was when I was skimming through a repository on my phone, and about the 5th file I clicked I was denied and locked out. Not for a few seconds either, it lasted long enough that I gave up on waiting then refreshing every ~10 seconds.

Does it seem to anyone like eventually the entire internet will be login only?<p>At this point knowledge seems to be gathered and replicated to great effect and sites that either want to monetize their content OR prevent bot traffic wasting resources seem to have one easy option.

This means it&#x27;s no longer safe to point to github-hosted repos in `git:` or `github:` dependencies in ruby bundler, yes?<p>I forget because I don&#x27;t use them, but weren&#x27;t there some products meant as dependency package repositories that github had introduced at some point, for some platforms? Does this apply to them? (I would hope not unless they want to kill them?)<p>This rather enormously changes github&#x27;s potential place in ecosystems.<p>What with the poor announcement&#x2F;rollout -- also unusual for what we expect of github, if they had realized how much this effects -- I wonder if this was an &quot;emergency&quot; thing not fully thought out in response to the crazy decentralized bot deluge we&#x27;ve all been dealing with. I wonder if they will reconsider and come up with another solution -- this one and the way it was rolled out do not really match the ingenuity and competence we usually count on from github.<p>I think it will hurt github&#x27;s reputation more than they realize if they don&#x27;t provide a lot more context, with suggested workarounds for various use cases, and&#x2F;or a rollback. This is actually quite an impactful change, in a way that the subtle rollout seems to suggest they didn&#x27;t realize?

Are the scraper sites using a large number of IP addresses, like a distributed denial of service attack? If not, rather than explicit blocking, consider using fair queuing. Do all the requests from IP addresses that have zero requests pending. Then those from IP addresses with one request pending, and so forth. Each IP address contends with itself, so making massive numbers of requests from one address won&#x27;t cause a problem.<p>I put this on a web site once, and didn&#x27;t notice for a month that someone was making queries at a frantic rate. It had zero impact on other traffic.

Wow, I&#x27;m realizing this applies to even browsing files in the web UI without being logged in, and the limits are quite low?<p>This rather significantly changes the place of github hosted code in the ecosystem.<p>I understand it is probably a response to the ill-behaved decentralized bot-nets doing mass scraping with cloaked user-agents (that everyone assumes is AI-related, but I think it&#x27;s all just speculation and it&#x27;s quite mysterious) -- which is affecting most of us.<p>The mystery bot net(s) are kind of destroying the open web, by the counter-measures being chosen.

What does “secondary” stand for here in the error message?<p>&gt; You have exceeded a secondary rate limit.<p>Edit and self-answer:<p>&gt; In addition to primary rate limits, GitHub enforces secondary rate limits<p>(…)<p>&gt; These secondary rate limits are subject to change without notice. You may also encounter a secondary rate limit for undisclosed reasons.<p><a href="https:&#x2F;&#x2F;docs.github.com&#x2F;en&#x2F;rest&#x2F;using-the-rest-api&#x2F;rate-limits-for-the-rest-api?apiVersion=2022-11-28#about-secondary-rate-limits" rel="nofollow">https:&#x2F;&#x2F;docs.github.com&#x2F;en&#x2F;rest&#x2F;using-the-rest-api&#x2F;rate-limi...</a>

I assume they&#x27;re trying to keep ai bots from strip mining the whole place.<p>Or maybe your IP&#x2F;browser is questionable.

The truth is this won&#x27;t actually stop AI crawlers and they&#x27;ll just move to a large residential proxy pool to work around it. Not sure what the solution is honestly.

The blog post is tagged with &quot;improvement&quot; - ironic for more restrictive rate limits.<p>Also, neither the new nor the old rate limits are mentioned.

A take that I&#x27;m not seeing in all the &quot;LLM scrapers are heading to our site, run for your lives!&quot; threads is this:<p>Why can&#x27;t people harden their software with guards? Proper DDoS protection? Better caching? Rewrite the hot paths in C, Rust, Zig, Go, Haskell etc.?<p>It strikes me as very odd, the atmosphere of these threads. So much doom and gloom. If my site was hit by an LLM scraper I&#x27;d be like &quot;oh, it&#x27;s on!&quot;, a big smile, and I&#x27;ll get to work right away. And I&#x27;ll have that work approved because I&#x27;ll use the occasion to convince the executives of the need. And I&#x27;ll have tons of fun.<p>Can somebody offer a take on why are we, the forefront of the tech sector, just surrendering almost without a single shot?

This was announced <a href="https:&#x2F;&#x2F;github.blog&#x2F;changelog&#x2F;2025-05-08-updated-rate-limits-for-unauthenticated-requests&#x2F;" rel="nofollow">https:&#x2F;&#x2F;github.blog&#x2F;changelog&#x2F;2025-05-08-updated-rate-limits...</a>

Most of these unauthenticated requests are read-only.<p>All of public github is only 21TB. Can&#x27;t they just host that on a dumb cache and let the bots crawl to their heart&#x27;s content?

Also <a href="https:&#x2F;&#x2F;github.com&#x2F;orgs&#x2F;community&#x2F;discussions&#x2F;157887">https:&#x2F;&#x2F;github.com&#x2F;orgs&#x2F;community&#x2F;discussions&#x2F;157887</a> &quot;Persistent HTTP 429 Rate Limiting on *.githubusercontent.com Triggered by Accept-Language: zh-CN Header&quot; but the comments show examples with no language headers.<p>I encountered this too once, but thought it was a glitch. Worrying if they can&#x27;t sort it.

I remember getting this error a few months ago, this does not seem like a temporary glitch. They dont want llm makers to slurp all the data.

Good that tools like Homebrew that heavily rely on GitHub usually support environment variables like GITHUB_TOKEN

Did I miss where it says what the new rate limits are? Or are they secret?

Even with authenticated requests, viewing a pull request and adding `.diff` to the end of the URL is currently ratelimited at 1 request per minute. Incredibly low, IMO.

Probably to throttle scraping from AI competitors, and have them pay for the privilege as many other services have been doing

How would this affect Go dependencies?

Time for Mozilla (and other open-source projects) to move repositories to sourcehut&#x2F;Codeberg or self-hosted Gitlab&#x2F;Forgejo?

Once again people post in the &quot;community&quot;, but nobody official replies; these discussion-pages are just users shouting into the void.

you mean you want to better track users

See also: <a href="https:&#x2F;&#x2F;github.com&#x2F;orgs&#x2F;community&#x2F;discussions&#x2F;159123">https:&#x2F;&#x2F;github.com&#x2F;orgs&#x2F;community&#x2F;discussions&#x2F;159123</a>

It sucks that we&#x27;ve collectively surrendered the urls to our content to centralized services that can change their terms at any time without any control. Content can always be moved, but moving the entire audience associated with a url is much harder.

<a href="https:&#x2F;&#x2F;github.com&#x2F;orgs&#x2F;community&#x2F;discussions&#x2F;157887">https:&#x2F;&#x2F;github.com&#x2F;orgs&#x2F;community&#x2F;discussions&#x2F;157887</a> This has been going on for weeks and is clearly not a simple mistake.

Just tried it on chrome incognito on iOS and do hit this 429 rate limit :S That sucks, it’s already bad enough when GitHub started enforcing login to even do a simple search.