Packagist · Rate Limits

Packagist Rate Limits

Name: Packagist Rate Limits
Creator: Packagist
Keywords: Composer, PHP, Package Registry, Dependency Management, Open Source, Developer Tools, Software Supply Chain, Security Advisories

Packagist does not publish a strict per-key request-per-second rate limit; the project publishes operational guidance for high-volume clients instead. These values are derived from the official API documentation at packagist.org/apidoc.

Packagist Rate Limits is the machine-readable rate-limit profile for Packagist on the APIs.io network, conforming to the API Commons Rate Limits specification.

The profile also includes 7 backoff/retry policies defined.

Tagged areas include Composer, PHP, Package Registry, Dependency Management, and Open Source.

0 Limits

ComposerPHPPackage RegistryDependency ManagementOpen SourceDeveloper ToolsSoftware Supply ChainSecurity Advisories

Policies

Maximum 10 concurrent HTTP requests against the Packagist application API.

Maximum 20 concurrent HTTP requests against the static Composer v2 metadata mirror.

Avoid scheduling jobs at the top of the hour (XX:00) or at midnight UTC; these are observed traffic peaks. Spread workloads randomly across the hour.

Send a descriptive User-Agent header including a `mailto=` contact so the Packagist team can reach you about misbehaving clients.

Use HTTP/2-capable clients to take advantage of multiplexing.

Metadata change-log entries are retained for 24 hours. Mirror operators must poll within this window.

Application-level package payloads are cached for 12 hours; prefer /p2/ endpoints for fresher data.