Buf Schema Registry (BSR)



The Pro and Enterprise plans include a private instance of the Buf Schema Registry (BSR), SSO/SCIM for user provisioning, and several other features to address security, compliance, and automation requirements specific to larger organizations. The pages in this section describe the setup and usage of your private BSR instance and point to relevant sections of the general documentation where there are differences from the public BSR at https://buf.build.

Pro and Enterprise features

Private BSR and SSO/SCIM

We currently support all OIDC or SAML providers for SSO/SCIM, and have specific setup guides for these:

Custom plugins

Pro and Enterprise plans include the ability to upload custom plugins for logic specific to your business needs. See the custom plugins documentation for policy and implementation information.

CI/CD integration

In addition to the GitHub Actions integration for the public BSR, Pro and Enterprise plans offer access to Buf’s GitHub App. The app synchronizes your Protobuf source control with your private BSR instance, and automatically performs breaking change detection, linting, and formatting.

Pro and Enterprise plans also allow you to create bot users that can call the BSR from CI workflows without tying the actions to a specific person.

Audit logging

BSR server admins can query the private BSR instance about several types of events and actions on the server. See audit logs and the audit API documentation for more information.


You can enable webhooks to trigger actions in other backend services, such as CI/CD or notification workflows. They are disabled by default.

Enterprise-only features

Policy checks

On your private BSR, you can enforce a set of breaking change rules across all repositories. Once enabled, any commits with breaking changes are put into a review flow, where they can be accepted or rejected by the BSR repository owners or admins. This protects downstream consumers from breaking changes, while enabling those closest to the code to approve them when appropriate. See the overview and review commits documentation for more information.

You can also require that all Protobuf file paths and type names remain unique across modules. When the uniqueness policy check is enabled, the BSR rejects any pushes that introduce violations to this rule. See Uniqueness checks for more information.

Usage dashboard

Similar to the Average Types Usage dashboard available on the public BSR, a Maximum Types Usage dashboard is available for private instances at https://{REMOTE}/admin/usage, where {REMOTE} is your instance's domain name.

There are some differences in the way we compute types for private instances vs. the public BSR, which reflect the terms around how these contracts are billed:

  • Types usage for the public BSR is computed as the average number of types over the organization's billing period.
  • Private instance usage tracks the maximum number of types for all organizations on the entire instance over a calendar month.

Example dashboard

Example dashboard