Updated rate limits for unauthenticated requests

Original Article ↗ Hacker News Discussion ↗

Confusion over what actually changed

  • Docs list 60 req/hour unauthenticated, 5000/hour personal, 15000/hour enterprise, but the changelog post doesn’t state numbers, which many find odd.
  • Some say these limits haven’t changed in a year; others report much harsher throttling for weeks, suggesting “secondary” limits or new heuristics.
  • “Secondary rate limits” are described in docs as dynamic and possibly undisclosed, adding to uncertainty.

User experience and impact

  • Multiple reports of hitting 429s just by browsing a few files unauthenticated, especially on new browsers/incognito or mobile.
  • Some users stay logged in for months with no issue; others get logged out frequently and must redo 2FA, making the low unauthenticated limits painful.
  • Rate limits also affect raw.githubusercontent.com and .diff views, breaking scripts, install tooling, demos, and possibly some package-manager workflows.
  • A separate GitHub discussion notes persistent 429s tied (at least initially) to certain headers like Accept-Language: zh-CN, though behavior seems broader.

Motivations: AI scraping vs walled gardens

  • Many assume this targets AI/LLM crawlers strip-mining public code; others suspect generic abusive bots.
  • A faction argues this is primarily about forcing logins, tracking users, and enclosing what used to be an open hub, especially under Microsoft ownership.
  • Counterpoint: GitHub is entitled to protect availability and isn’t a charity; abusive scraping makes free anonymous access unsustainable.

Debate over responsibility and ethics

  • One side blames AI companies for “looting” open content at scale without giving back, making lock-down inevitable.
  • The other side argues that platforms are choosing to respond by closing the web rather than engineering better defenses, likening this to past anti-piracy crackdowns.
  • Disagreement over whether AI use of FOSS code is “theft” or just another reuse of open licenses.

Alternatives, decentralization, and technical ideas

  • Suggestions to move important projects to SourceHut, Codeberg, self‑hosted GitLab/Forgejo/Gitea; network effects and resourcing remain obstacles.
  • Some self-hosters report banning huge numbers of IPs or blocking commit URLs to survive AI crawlers.
  • Proposed mitigations include fair-queuing per IP, more caching, or architectural optimization instead of aggressive global limits.
  • Broader worry: this is another step toward a login‑only, ID‑gated internet.