Select Topic Area
Question
Body
https://github.blog/changelog/2025-05-08-updated-rate-limits-for-unauthenticated-requests/ It's now clear that unauthenticated access to raw.githubusercontent.com will be strongly rate limited and authenticated access is encouraged. Ok, message received loud and clear.
But the REST API documentation is clear on how to authenticate to the API and you even get handy HTTP headers back to tell you your status: eg
x-ratelimit-limit: 5000
x-ratelimit-remaining: 4998
x-ratelimit-reset: 1748427512
x-ratelimit-used: 2
x-ratelimit-resource: core
What I have not been able to find is any clear information on how to authenticate to raw.githubusercontent.com .
eg:
- Do personal access tokens in the
Authorizationheader work? (I get a 200 but no indication that the auth details were used) - Are we allowed to pass an app id and secret as basic auth? https://docs.github.com/en/rest/using-the-rest-api/rate-limits-for-the-rest-api?apiVersion=2022-11-28#primary-rate-limit-for-oauth-apps (This seems to 404 so I guess not?)
I did try experimenting, but another problem is that as far as I can see calls to raw.githubusercontent.com don't give you back any headers like the ones above so you can tell if you authentication attempt was successful or not.
Am I missing something obvious here? (Sorry if so)
Are there docs on this?
Can we get headers with auth feedback?
Thanks,
ps. If people want to discuss the wisdom of this rate limiting, there are existing issues - let's keep this issue focussed on docs and headers please! https://github.com/orgs/community/discussions/157887 and https://github.com/orgs/community/discussions/159123
0 replies
Hi, @jarofgreen
Just wanted to say - I’ve been running into the exact same confusion lately.
As far as I can tell, raw.githubusercontent.com doesn’t actually support authentication at all.
You can throw your personal access token in the header, but it’s ignored - no rate limit headers, no feedback, nothing.
So yeah, you get a 200, but that doesn’t mean your auth worked - it just means the file exists and was public anyway.
It looks like the only official way to do authenticated access is via the GitHub REST API (/repos/:owner/:repo/contents/:path), which gives you the proper rate limit headers and actually respects your token.
Not ideal if you’re just trying to grab a raw file, but at least it’s reliable.
Totally agree it would be nice if raw.githubusercontent.com gave you some signal back, even if it’s just a header saying “auth not supported.” Right now it’s just guesswork.
Hope that helps - and if you find anything better, I’m all ears too!
0 replies
The raw subdomain has always been different from the API. It goes way back that people provided proxied alternatives -- ie rawgit, statically, etc.
Are you getting rate-limited?
3 replies
Yes, it was always there - but now it is 1 per minute instead of ~83 per minute.
1 reply
I don't understand - that appears to be a roblox command, but there is no authentication there? And so would also be rate limited?
🕒 Discussion Activity Reminder 🕒
This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions:
1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as out of date at the bottom of the page.
2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own.
3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution.
Note: This dormant notification will only apply to Discussions with the Question label. To learn more, see our recent announcement.
Thank you for helping bring this Discussion to a resolution! 💬
0 replies