Skip to content

Rate limits

The BSR limits the number of API requests you can make within a specified amount of time. These limits prevent abuse and ensures that the BSR remains available for all users.

Limits

Code generation

Unauthenticated traffic

The BSR allows 10 unauthenticated code generation requests per hour, with a burst of up to 10 requests. If you send more than 10 unauthenticated requests per hour using remote plugins, you’ll receive a rate limit error.

To prevent service interruptions, ensure that your CI jobs and local usages of the Buf CLI authenticate with the Buf Schema Registry (BSR) before making these requests.

Pro and Enterprise users aren't affected by this limit.

How to authenticate

If you don't have a BSR account, you can sign up—it's free. Remote plugins are free as well. If you already have an account, do the following:

  • Locally: Run buf registry login and follow the instructions.
  • In CI: Create a BSR token and set it as a secret environment variable named BUF_TOKEN.

For step-by-step instructions, including those for GitHub Actions, see our authentication docs.

Authenticated traffic

The BSR allows 960 authenticated code generation requests per hour, with a burst of up to 120 requests.

FileDescriptorSetService

Unauthenticated traffic

Only authenticated traffic is permitted to access this endpoint.

Authenticated traffic

The BSR allows 1 authenticated request per second to this service, with a burst of up to 2 requests.

Buf CLI

Every call to buf generate that involves remote plugins counts as one request, with a max limit of 20 plugins per request. For example, if you have a buf.gen.yaml file with 22 remote plugins, the BSR rejects your request.

If you have exactly 20 (or fewer) plugins and run buf generate, this counts as one request.

Monitoring your rate limit

Callers can check response headers to determine the current status of rate limiting.

Header Description
X-RateLimit-Limit The number of requests allowed in a window of time
X-RateLimit-Remaining The number of requests that can still be made in the current window of time
X-RateLimit-Reset The number of seconds until the current rate limit window completely resets
Retry-After When rate limited, the number of seconds to wait before another request is accepted

Exceeding the rate limit

Requests that exceed a rate limit return HTTP status code 429 and the X-RateLimit-Remaining header is 0. You shouldn't retry your request until after the number of seconds specified in the Retry-After header.

Increasing your rate limit

If you want a higher rate limit, consider making authenticated requests instead of unauthenticated requests. Authenticated requests have a significantly higher rate limit than unauthenticated requests. See how to authenticate the Buf CLI for details on authenticating.

If you are hitting a rate limit that you don't believe you should be, contact us.