Sigstore · Rate Limits

Sigstore Rate Limits

Sigstore's public-good Fulcio and Rekor instances do not publish formal per-client rate limits in the documentation overview; the project notes the service is operated as a public good and asks heavy consumers to self-host or run a private instance to protect shared capacity. Specific thresholds are not published as a developer-facing SLA.

1 Limits

Code SigningPKISecurityOpen SourceRate Limiting

Limits

Public-good fair use client

varies

not publicly documented

Public Fulcio and Rekor instances are operated as a public good; heavy users are encouraged to self-host rather than rely on a published throttle.

Policies

Public-Good Fair Use

Treat the public Sigstore instances as a shared public good. For high-volume signing or verification, self-host Fulcio/Rekor (or use a vendor-operated dedicated instance) rather than relying on the public service.

Self-Hosting for Scale

Sigstore is open source; production-critical workloads should run their own Fulcio and Rekor to control availability and avoid dependence on shared infrastructure.

Sources

https://docs.sigstore.dev/