npm · Rate Limits
Npm Rate Limits
npm does not publish per-second or per-minute numeric rate limits for the public registry at registry.npmjs.org. Reads are anonymous and CDN-fronted; abusive traffic is throttled per-IP at the edge. The replication endpoint (replicate.npmjs.com) has explicit pagination caps. Authenticated publish and webhook operations are throttled at the application layer. Limits are not raised per tier; bulk consumers should use replication rather than scraping.
4 Limits
Throttle: 429
PackagesJavaScriptNode.jsPackage ManagementRegistrySecurityRate Limiting
Limits
Public registry reads IP
see CDN abuse policy; not numerically published
Replication _changes pagination account
10000
limit query parameter: default 1000, maximum 10000.
Search API page size IP
250
size parameter on /-/v1/search; default 20, maximum 250.
Authenticated publish account
see registry abuse policy
Policies
Use replication for bulk
For bulk indexing or mirroring, use /_changes and /_all_docs on replicate.npmjs.com with the npm-replication-opt-in header rather than scraping registry.npmjs.org.
Backoff
Honor Retry-After when present; clients should implement exponential backoff with jitter on 429/503 responses.
Authentication for writes
Publish, deprecate, and access-token operations require an npm token; reads are anonymous for public packages.
2FA / Provenance
Publishing requires 2FA on the account or a CI provenance attestation. Not a rate limit but governs which write requests are accepted.