RubyGems · Rate Limits

Rubygems Rate Limits

RubyGems.org enforces rate limits at two layers. A load balancer tier caps raw request rate per source IP across the API and website. An application tier (rack-attack) layers additional limits on auth, MFA, gem ownership, and gem publishing endpoints. Limits apply per IP/account; there is no paid tier to raise them. Extreme abuse can result in IP blackholing, with appeal via support@rubygems.org.

Rubygems Rate Limits is the machine-readable rate-limit profile for RubyGems on the APIs.io network, conforming to the API Commons Rate Limits specification.

It captures 6 rate-limit definitions, measuring requests_per_second, requests_per_window, and requests_per_hour.

The profile also includes 4 backoff/retry policies defined and response codes documented for throttled.

Tagged areas include Ruby, Package Manager, Open Source, Developer Tools, and Rate Limiting.

6 Limits Throttle: 429
RubyPackage ManagerOpen SourceDeveloper ToolsRate Limiting

Limits

Load balancer (API and website) IP
requests_per_second · second
10
Applies broadly to rubygems.org API and website traffic from a single source IP.
Load balancer (Dependency API / Compact Index) IP
requests_per_second · second
15
Slightly higher cap reflecting bundler resolver behavior.
Auth and account endpoints IP
requests_per_window · minute
100
100 requests per 10 minutes across sign-in, sign-up, password reset, profile, and email confirmation.
Sensitive operations (exponential backoff, short window) account
requests_per_window · minute
300
300 requests per 5 minutes against MFA, ownership changes, API key retrieval, and gem yanking.
Sensitive operations (exponential backoff, long window) account
requests_per_window · day
600
600 requests per 25 hours against MFA, ownership changes, API key retrieval, and gem yanking.
Gem publishing (POST /api/v1/gems) account
requests_per_hour · hour
400
400 successful pushes per hour. Failed pushes additionally counted at 300 / 5 min and 600 / 25 hours.

Policies

Retry-After signaling
Throttled responses include a Retry-After header indicating when to retry. Clients should wait at least that long before retrying.
Exponential backoff on sensitive endpoints
rack-attack escalates penalties on MFA, ownership, key, and yank endpoints; clients should apply exponential backoff with jitter on 429 responses.
No paid raise path
There is no commercial tier to raise limits. High-volume consumers are expected to mirror the index, use the compact index efficiently, or contact support@rubygems.org.
IP blackhole for abuse
Persistent abusive sources may be blackholed at the network edge. Recourse is via support@rubygems.org.

Sources