Skip to main content

Usage and quotas


The GitGuardian API and its scan capability can be used to scan simple content quickly, or even to write complex integrations for non-publicly available services.

Most of GitGuardian's Open Source projects use the GitGuardian API as their backbone. ggshield and py-gitguardian are two examples.

Stateless scanning

The GitGuardian API endpoints are stateless, meaning any scanned documents or found secrets are not stored on our servers when performing a secrets scan. We do, however, collect and store some metadata for purposes such as quota usage and access logs.


API quotas are only consumed by API calls related to the scan scope:

  • the /scan endpoint ingests only one document (piece of text) and consumes 1 quota.
  • the /multiscan endpoint ingests several documents at a time (20 max) and consumes 1 quota.
    If a commit contains 40 different documents to scan, scanning this commit will require 2 quotas.

Quota usage is based on requests, not on the size of the content you scan.

The quota is set on a rolling month, not on a calendar month.
This means that if 200 API calls are made on the last day of the month, you will need to wait 30 days before 200 new calls are credited back to your account.
This quota is applied at the workspace level, not at the individual API key level. Consequently, exceeding the quota with one API key will restrict all other API keys in the same workspace from making further API calls.
The quota depends on your plan but you can always contact us to increase it:

Free planPaid plan
Quota10,000 calls/month100,000 calls/month

Workspace Managers can track usage of their quota in the Quota section of their workspace:

API usage

Rate limiting

The GitGuardian API implements rate limiting to manage the number of requests made to the API.
This helps prevent abuse, ensures fair usage, and maintains the performance and availability of the API.

The GitGuardian API implements rate limiting at the API key level, ensuring that each key is allocated a predetermined maximum number of requests within a designated timeframe.
If the limit is exceeded, the GitGuardian API will return error with status code 429 and the requests will not be processed.
The rate limiting varies based on the type of API key (personal access token or service account) and the plan of your workspace:

Free planPaid plan
Personal access token50 requests/minute100 requests/minute
Service accountN/A
Service accounts are not available under the Free plan
500 requests/minute

By default, API rate limiting is not applied to GitGuardian self-hosted instances.

How can I help you ?