What's changing?

As of August 1, 2024, Buf will begin limiting remote plugin requests from unauthenticated users on buf.build. If you send more than 10 unauthenticated requests per hour using remote plugins, you’ll begin to see rate limit errors like this:

Unauthenticated remote plugin rate limit exceeded. For info on how to resolve this, visit: https://buf.build/b/auth-required

We’ll start by failing a small percentage of unauthenticated requests, increasing over time until 100% of unauthenticated requests are blocked. To prevent service interruptions, please update your CI jobs and local usages of the Buf CLI to authenticate with the Buf Schema Registry (BSR) before making these requests.

All Pro and Enterprise users will not be affected by this change and will continue to operate as expected.

How do I authenticate?

If you don't have a BSR account, you can sign up for free. Remote plugins will remain free as well. If you already have an account, you can do the following:

• Locally: Run buf registry login and follow the instructions.
• In CI: Create a BSR token and set it as a secret environment variable BUF_TOKEN.

For step-by-step instructions, including those for GitHub Actions, see our authentication docs.

Why are we doing this?

A small fraction of users are responsible for a large percentage of remote plugin requests. We want to ensure that we can shape the quality of our service by identifying who’s using our platform. We've seen explosive growth and want to ensure everyone has fair access.

If you have any questions, please contact us at support@buf.build, or join us on Slack.