Skip to main content
We publish frequent updates to our documentation, and translation of this page may still be in progress. For the most current information, please visit the English documentation.

This version of GitHub Enterprise was discontinued on 2023-03-15. No patch releases will be made, even for critical security issues. For better performance, improved security, and new features, upgrade to the latest version of GitHub Enterprise. For help with the upgrade, contact GitHub Enterprise support.

Rate limits for OAuth apps

Rate limits restrict the rate of traffic to your GitHub Enterprise Server instance, to help ensure consistent access for all users.

Note: Consider building a GitHub App instead of an OAuth app. The rate limit for GitHub Apps using an installation access token scales with the number of repositories and number of organization users. Conversely, OAuth apps have lower rate limits and do not scale. For more information, see "Differences between GitHub Apps and OAuth apps" and "About creating GitHub Apps."

About rate limits for OAuth apps

Rate limits are disabled by default for GitHub Enterprise Server. Contact your site administrator to confirm the rate limits for your instance.

When rate limits are enabled for your GitHub Enterprise Server instance, there is a limit on the number of requests an OAuth app can send to the server within a specific time period. This limit helps to ensure the system remains available for all users.

OAuth apps act on behalf of a user, by making requests with a user access token after the user authorizes the app. User access token requests from OAuth apps are authenticated with an OAuth token. For more information, see "Authorizing OAuth apps."

Determining rate limits for an OAuth app

You can confirm your current rate limit status at any time using the REST API. For more information, see "Resources in the REST API."

By default, OAuth apps are limited to 5,000 requests per hour and per authenticated user. All requests from OAuth apps that are authorized by a user or a personal access token owned by the user, and requests authenticated with any of the user's authentication credentials, share the same quota of 5,000 requests per hour for that user.

Further reading