Sigstore · Rate Limits

Sigstore Rate Limits

Name: Sigstore Rate Limits
Creator: Sigstore
Keywords: Code Signing, PKI, Security, Open Source, Rate Limiting

Sigstore's public-good Fulcio and Rekor instances do not publish formal per-client rate limits in the documentation overview; the project notes the service is operated as a public good and asks heavy consumers to self-host or run a private instance to protect shared capacity. Specific thresholds are not published as a developer-facing SLA.

Sigstore Rate Limits is the machine-readable rate-limit profile for Sigstore on the APIs.io network, conforming to the API Commons Rate Limits specification.

It captures 1 rate-limit definition, measuring varies.

The profile also includes 2 backoff/retry policies defined.

Tagged areas include Code Signing, PKI, Security, Open Source, and Rate Limiting.

1 Limits

Code SigningPKISecurityOpen SourceRate Limiting

Limits

Public-good fair use client

varies

not publicly documented

Public Fulcio and Rekor instances are operated as a public good; heavy users are encouraged to self-host rather than rely on a published throttle.

Policies

Public-Good Fair Use

Treat the public Sigstore instances as a shared public good. For high-volume signing or verification, self-host Fulcio/Rekor (or use a vendor-operated dedicated instance) rather than relying on the public service.

Self-Hosting for Scale

Sigstore is open source; production-critical workloads should run their own Fulcio and Rekor to control availability and avoid dependence on shared infrastructure.

Sources

https://docs.sigstore.dev/