Global rate limits and throttling in Discourse

Discourse ships with 3 different global rate limits that can be configured by site admins.

Global per-ip rate limits

These limits apply to every unique IP address that hits the Discourse application. (files that are served directly from the filesystem or the CDN are excluded)

By default this rate limit is enabled, you may disable it or set it to a reporting mode.

DISCOURSE_MAX_REQS_PER_IP_MODE : default none, this rate limit does not apply out of the box yet. (other options are warn and warn+block)

DISCOURSE_MAX_REQS_PER_IP_PER_MINUTE: number of requests per IP per minute (default is 200)

DISCOURSE_MAX_REQS_PER_IP_PER_10_SECONDS: number of requests per IP per 10 seconds (default is 50)

DISCOURSE_MAX_ASSET_REQS_PER_IP_PER_10_SECONDS: number of asset (avatars/css) requests per IP per 10 seconds (default is 200)

DISCOURSE_MAX_REQS_RATE_LIMIT_ON_PRIVATE: should the rate limit apply to private IPs accessing Discourse? default is false.

User API rate limits

The mobile applications acquire a user API key per device to access Discourse on behalf of a user (using an open protocol). These API keys are very tightly limited.


Admin API rate limits

The administrative API keys can be generated via the page. These keys can operate on behalf of users, but require administrative privileges to generate. They are limited, but not as strictly as the user API keys.


Versions of Discourse prior to 1.9 did not include this limiting.

What should I do if I hit a rate limit and get throttled?

If you are consuming the API programmatically and receive back a 429 status code throttle reply you should respect it and slow down.

As an end user you should not really experience rate limits if you do, slow down. You could trigger it by opening 50 tabs real quick or doing something like that.

How do I amend these limits?

To amend the limits add the desired change into your app.yml file in the env section.

If you are hosted by Discourse contact

Firewall and proxy warning! :warning:

If you are running a reverse proxy which is mis-configured Discourse may think all the requests are coming from a single IP address, it is very likely you will hit rate limits early. Be sure to configure your reverse proxy to forward the IP correctly.


We’re accessing the API via admin key from a private IP and increased DISCOURSE_MAX_ADMIN_API_REQS_PER_KEY_PER_MINUTE but still hit API limits.

How does Discourse know the requests are coming from a private IP as DISCOURSE_MAX_REQS_RATE_LIMIT_ON_PRIVATE is false?

Are there additional settings to whitelist those IPs?