Buf Schema Registry

Rate limits

The BSR limits the number of API requests you can make within a specified amount of time. These limits prevent abuse and ensures that the BSR remains available for all users.

Limits

Code generation

Unauthenticated traffic

The BSR allows 10 unauthenticated code generation requests per hour, with a burst of up to 10 requests. If you send more than 10 unauthenticated requests per hour using remote plugins, you’ll receive a rate limit error.

To prevent service interruptions, ensure that your CI jobs and local usages of the Buf CLI authenticate with the Buf Schema Registry (BSR) before making these requests.

Pro and Enterprise users aren't affected by this limit.

How do I authenticate?

If you don't have a BSR account, you can sign up for free. Remote plugins are free as well. If you already have an account, do the following:

  • Locally: Run buf registry login and follow the instructions.
  • In CI: Create a BSR token and set it as a secret environment variable named BUF_TOKEN.

For step-by-step instructions, including those for GitHub Actions, see our authentication docs.

Authenticated traffic

The BSR allows 960 authenticated code generation requests per hour, with a burst of up to 120 requests.

FileDescriptorSetService

Unauthenticated traffic

Only authenticated traffic is permitted to access this endpoint.

Authenticated traffic

The BSR allows 1 authenticated request per second to this service, with a burst of up to 2 requests.

Buf CLI

Every call to buf generate that involves remote plugins counts as one request, with a max limit of 20 plugins per request. For example, if you have a buf.gen.yaml file with 22 remote plugins, the BSR will reject your request.

If you have exactly 20 (or fewer) plugins and run buf generate, this will count as one request.

Monitoring your rate limit

Callers can check response headers to determine the current status of rate limiting.

HeaderDescription
X-RateLimit-LimitThe number of requests allowed in a window of time
X-RateLimit-RemainingThe number of requests that can still be made in the current window of time
X-RateLimit-ResetThe number of seconds until the current rate limit window completely resets
Retry-AfterWhen rate limited, the number of seconds to wait before another request will be accepted

Exceeding the rate limit

Requests that exceed a rate limit will return HTTP status code 429 and the X-RateLimit-Remaining header will be 0. You should not retry your request until after the number of seconds specified in the Retry-After header.

Increasing your rate limit

If you want a higher rate limit, consider making authenticated requests instead of unauthenticated requests. Authenticated requests have a significantly higher rate limit than unauthenticated requests. See how to authenticate the buf CLI for details on authenticating.

If you are hitting a rate limit that you don't believe you should be, please contact us.