npm · Rate Limits

Npm Rate Limits

npm does not publish per-second or per-minute numeric rate limits for the public registry at registry.npmjs.org. Reads are anonymous and CDN-fronted; abusive traffic is throttled per-IP at the edge. The replication endpoint (replicate.npmjs.com) has explicit pagination caps. Authenticated publish and webhook operations are throttled at the application layer. Limits are not raised per tier; bulk consumers should use replication rather than scraping.

Npm Rate Limits is the machine-readable rate-limit profile for npm on the APIs.io network, conforming to the API Commons Rate Limits specification.

It captures 4 rate-limit definitions, measuring varies and results_per_request.

The profile also includes 4 backoff/retry policies defined and response codes documented for throttled and serviceUnavailable.

Tagged areas include Packages, JavaScript, Node.js, Package Management, and Registry.

4 Limits Throttle: 429
PackagesJavaScriptNode.jsPackage ManagementRegistrySecurityRate Limiting

Limits

Public registry reads IP
varies
see CDN abuse policy; not numerically published
Replication _changes pagination account
results_per_request
10000
limit query parameter: default 1000, maximum 10000.
Search API page size IP
results_per_request
250
size parameter on /-/v1/search; default 20, maximum 250.
Authenticated publish account
varies
see registry abuse policy

Policies

Use replication for bulk
For bulk indexing or mirroring, use /_changes and /_all_docs on replicate.npmjs.com with the npm-replication-opt-in header rather than scraping registry.npmjs.org.
Backoff
Honor Retry-After when present; clients should implement exponential backoff with jitter on 429/503 responses.
Authentication for writes
Publish, deprecate, and access-token operations require an npm token; reads are anonymous for public packages.
2FA / Provenance
Publishing requires 2FA on the account or a CI provenance attestation. Not a rate limit but governs which write requests are accepted.

Sources