Docker Hub rate limit
Docker Hub limits the number of Docker image downloads, or pulls, based on the account type of the user pulling the image. Pull rate limits are based on individual IP address.
|100 pulls per 6 hours per IP address
|200 pulls per 6 hour period
|Users with a paid Docker subscription
|Up to 5000 pulls per day
If you require a higher number of pulls, you can also buy an Enhanced Service Account add-on.
A user's limit is equal to the highest entitlement of their personal account or any organization they belong to. To take advantage of this, you must sign in to Docker Hub as an authenticated user. For more information, see How do I authenticate pull requests. Unauthenticated (anonymous) users will have the limits enforced via IP.
- Pulls are accounted to the user doing the pull, not to the owner of the image.
- A pull request is defined as up to two
GETrequests on registry manifest URLs (
- A normal image pull makes a single manifest request.
- A pull request for a multi-arch image makes two manifest requests.
HEADrequests aren't counted.
- Some images are unlimited through our Docker Sponsored Open Source and Docker Verified Publisher programs.
When you issue a pull request and you are over the limit, Docker Hub returns a
429 response code with the following body when the manifest is requested:
You have reached your pull rate limit. You may increase the limit by authenticating and upgrading: https://www.docker.com/increase-rate-limits
This error message appears in the Docker CLI or in the Docker Engine logs.
Valid API requests to Hub usually include the following rate limit headers in the response:
These headers are returned on both GET and HEAD requests.
Using GET emulates a real pull and counts towards the limit. Using HEAD won't. To check your limits, you need
To get a token anonymously, if you are pulling anonymously:
$ TOKEN=$(curl "https://auth.docker.io/token?service=registry.docker.io&scope=repository:ratelimitpreview/test:pull" | jq -r .token)
To get a token with a user account, if you are authenticated (insert your username and password in the following command):
$ TOKEN=$(curl --user 'username:password' "https://auth.docker.io/token?service=registry.docker.io&scope=repository:ratelimitpreview/test:pull" | jq -r .token)
Then to get the headers showing your limits, run the following:
$ curl --head -H "Authorization: Bearer $TOKEN" https://registry-1.docker.io/v2/ratelimitpreview/test/manifests/latest
Which should return the following headers:
In the previous example, the pull limit is 100 pulls per 21600 seconds (6 hours), and there are 76 pulls remaining.
If you don't see any RateLimit header, it could be because the image or your IP is unlimited in partnership with a publisher, provider, or an open-source organization. It could also mean that the user you are pulling as is part of a paid Docker plan. Pulling that image won’t count toward pull limits if you don’t see these headers. However, users with a paid Docker subscription pulling more than 5000 times daily require a Service Account subscription.
To take advantage of the higher limits included in a paid Docker subscription, you must authenticate pulls with your user account.
The following section contains information on how to sign in to Docker Hub to authenticate pull requests.
If you are using Docker Desktop, you can sign in to Docker Hub from the Docker Desktop menu.
Select Sign in / Create Docker ID from the Docker Desktop menu and follow the on-screen instructions to complete the sign-in process.
If you're using a standalone version of Docker Engine, run the
docker login command from a terminal to authenticate with Docker Hub. For information on how to use the command, see
If you're running Docker Swarm, you must use the
-- with-registry-auth flag to authenticate with Docker Hub. For more information, see
Create a service. If you are using a Docker Compose file to deploy an application stack, see
docker stack deploy.
If you're using GitHub Actions to build and push Docker images to Docker Hub, see login action. If you are using another Action, you must add your username and access token in a similar way for authentication.
If you're running Kubernetes, follow the instructions in Pull an Image from a Private Registry for information on authentication.
If you're using any third-party platforms, follow your provider’s instructions on using registry authentication.
- AWS CodeBuild
- AWS ECS/Fargate
- Azure Pipelines
- Chipper CI
Docker Hub also has an overall rate limit to protect the application and infrastructure. This limit applies to all requests to Hub properties including web pages, APIs, and image pulls. The limit is applied per-IP, and while the limit changes over time depending on load and other factors, it's in the order of thousands of requests per minute. The overall rate limit applies to all users equally regardless of account level.
You can differentiate between these limits by looking at the error
code. The "overall limit" returns a simple
429 Too Many Requests
response. The pull limit returns a longer error message that
includes a link to this page.