Jira rate limiting is not working due to cookies/headers in the requests


アトラシアン コミュニティをご利用ください。


プラットフォームについて: Data Center のみ - この記事は、Data Center プラットフォームのアトラシアン製品にのみ適用されます。

この KB は Data Center バージョンの製品用に作成されています。Data Center 固有ではない機能の Data Center KB は、製品のサーバー バージョンでも動作する可能性はありますが、テストは行われていません。サーバー*製品のサポートは 2024 年 2 月 15 日に終了しました。サーバー製品を利用している場合は、アトラシアンのサーバー製品のサポート終了のお知らせページにて移行オプションをご確認ください。

*Fisheye および Crucible は除く


Jira users that are used for automated or scripted clients consuming Jira REST API, if the rate limiting is configured, limitations set for these users will be applied. In some cases, If the client is considered as a UI user, even if rate limiting is configured, REST API requests to Jira from these clients are not rate limited. 


Jira Data Center 8.6 or higher.


To view more detail, add the com.atlassian.ratelimiting.internal.requesthandler package as TRACE in Logging and Profiling.

2023-02-08 16:16:51,485+0000 http-nio- url: /rest/api/latest/search TRACE anonymous 276x62016x1 1grt0i /rest/api/latest/search [c.a.r.internal.requesthandler.DefaultRateLimitUiRequestHandler] All request headers: [[x-forwarded-host, x-forwarded-server, x-forwarded-for, host, content-length, x-real-ip, x-forwarded-proto, x-forwarded-port, user-agent, accept-encoding, accept, content-type, cookie, authorization]], UI headers: [{}] (count: 0), UI cookies [{JSESSIONID=[8AE544D26AE19FF01AF945CF37B77C31], atlassian.xsrf.token=[B6ZK-S1PB-6D72-MBIQ_e52aff75d49c4b7e22e8f8b4ef88536460b8dae]}] (count: 2), is UI request: [true]
2023-02-08 16:16:51,485+0000 http-nio- url: /rest/api/latest/search TRACE anonymous 276x62016x1 1grt0i /rest/api/latest/search [c.a.r.internal.requesthandler.DefaultRateLimitUiRequestHandler] Authorization: Basic bXl1c2VyOk5vdFRvZGF5Cg==

(info) As of this writing, the part "is UI request: [true/false]" in the logs is not completely accurate. It just shows check number 2 listed below. This is tracked in JRASERVER-74804 - Getting issue details... STATUS


In some cases, requests are considered as UI requests. As a result, these requests are not rate-limited.

To determine if a request is made from the UI, we check:

  1. If the Authorization header is of the Basic or Bearer (token) types, it is not a UI request and might be throttled.
    (info) This Authorization header check takes precedence. If it determines the request is not UI-based, the next check isn't even performed.
  2. Then we check these elements below in the request. If there are 2 or more, the request is considered as originating from the UI.
    • Header - "origin"
    • Header - "Referer"
    • Cookie - "JSESSIONID"
    • Cookie - "atlassian.xsrf.token"

As an example, the log entry above (in the Diagnosis section) is not considered to be UI-based and might be throttled.


Remove the unnecessary cookie/header data from the requests and/or change the authentication method to basic or token.

最終更新日: 2023 年 2 月 8 日


Powered by Confluence and Scroll Viewport.