RubyGems · Rate Limits
Rubygems Rate Limits
RubyGems.org enforces rate limits at two layers. A load balancer tier caps raw request rate per source IP across the API and website. An application tier (rack-attack) layers additional limits on auth, MFA, gem ownership, and gem publishing endpoints. Limits apply per IP/account; there is no paid tier to raise them. Extreme abuse can result in IP blackholing, with appeal via [email protected].
6 Limits
Throttle: 429
RubyPackage ManagerOpen SourceDeveloper ToolsRate Limiting
Limits
Load balancer (API and website) IP
10
Applies broadly to rubygems.org API and website traffic from a single source IP.
Load balancer (Dependency API / Compact Index) IP
15
Slightly higher cap reflecting bundler resolver behavior.
Auth and account endpoints IP
100
100 requests per 10 minutes across sign-in, sign-up, password reset, profile, and email confirmation.
Sensitive operations (exponential backoff, short window) account
300
300 requests per 5 minutes against MFA, ownership changes, API key retrieval, and gem yanking.
Sensitive operations (exponential backoff, long window) account
600
600 requests per 25 hours against MFA, ownership changes, API key retrieval, and gem yanking.
Gem publishing (POST /api/v1/gems) account
400
400 successful pushes per hour. Failed pushes additionally counted at 300 / 5 min and 600 / 25 hours.
Policies
Retry-After signaling
Throttled responses include a Retry-After header indicating when to retry. Clients should wait at least that long before retrying.
Exponential backoff on sensitive endpoints
rack-attack escalates penalties on MFA, ownership, key, and yank endpoints; clients should apply exponential backoff with jitter on 429 responses.
No paid raise path
There is no commercial tier to raise limits. High-volume consumers are expected to mirror the index, use the compact index efficiently, or contact [email protected].
IP blackhole for abuse
Persistent abusive sources may be blackholed at the network edge. Recourse is via [email protected].