Skip to content

403 Forbidden error downloading from Central Repository⚓︎

Question⚓︎

I am receiving the following response when making requests to Maven Central:

Error 403 Forbidden:

This IP has been blocked for excessive or automated consumption of Maven Central in violation of the Terms of Service (https://central.sonatype.org/terms.html). Scraping, catalog enumeration, and systematic mirroring are prohibited. Evasion attempts — including IP rotation, user-agent spoofing, or proxy circumvention — will result in escalated enforcement.

I think my IP address may be blocked. What can I do?

Answer⚓︎

403 is not the same as 429

A 429 Too Many Requests is a rate limit signal — temporary and recoverable. A 403 Forbidden means the traffic has crossed into a category treated as abusive, evasive, or otherwise outside permitted use.

A 403 Forbidden response means Maven Central has blocked the request based on abuse detection, policy enforcement, or violation of the Central Repository Terms of Service.

Some behavior that initially triggers 429 rate limits can escalate to a 403 if it continues aggressively or appears to be attempting to evade enforcement. For example, sustained excessive requests, repeated high-volume metadata or artifact consumption, or traffic that shifts across IPs to avoid limits may be treated differently from ordinary overconsumption.

Per the Central Repository Terms of Service, examples of behavior that may result in blocking include, but are not limited to:

  • Attempting to download all or large portions of Central, including scraping, catalog enumeration, or systematic mirroring

  • Attempts to defeat or evade abuse detection mechanisms

  • Commercial Infrastructure Use of Central without express permission from Sonatype

  • Other activity that violates the Central Repository Terms of Service

Commercial Infrastructure Use

Commercial Infrastructure Use generally refers to using Maven Central as part of a commercial service, platform, tool, scanner, hosted build system, cache, mirror, or other infrastructure offering, rather than ordinary development or open source consumption.

The Central Repository Terms of Service describe Central's original intended purpose as "distribution of open source software" for developers to download project binaries. Using Central as backend infrastructure for a commercial product goes beyond that intended purpose.

If these 403 errors are breaking a system that is not your own build environment, it is quite likely you fall into this category.

For further information, see the full Central Repository Terms of Service.

Could this be a mistake?⚓︎

Yes. Automated abuse detection can misclassify traffic, especially when many systems share the same egress IP or when another tool is generating traffic you do not control or cannot easily see.

A 403 may be triggered by your own systems, but it can also be caused by other activity sharing the same outbound IP, NAT gateway, VPN, proxy, hosted CI environment, cloud provider, or infrastructure platform. In more severe cases, abusive actors aggressively churn through IP addresses, which can result in broader blocks across subnets or, in extreme cases, entire ASNs.

If you are not intentionally abusing Maven Central, we want to help you determine what is happening and get it corrected.

Before contacting support⚓︎

Start by identifying the egress IP address or IP range involved. This is the first thing we need in order to investigate. Maven Central sees traffic at the network edge; we cannot reliably investigate based only on organization name, project name, build name, or account.

Your egress IP is the outbound IP Maven Central sees when your builds, tools, scanners, repository managers, or automation make requests. This may be:

  • A cloud NAT gateway IP

  • A corporate proxy, firewall, or VPN egress IP

  • A hosted CI provider's egress IP or IP range

  • A shared build platform or infrastructure provider's outbound IP

  • The outbound IP used by a scanner, SCA tool, container tool, data cluster, or other automation

If you use a shared platform and cannot identify the egress IP, contact the provider or internal network team first. They are usually in a better position to see the outbound IPs, the traffic patterns, and the other systems sharing that egress path.

Look for tools bypassing your repository manager⚓︎

If you use a repository manager, do not assume the repository manager is the source of the block. In our investigations around Maven Central consumption issues, the problem is often traffic that bypasses the repository manager entirely.

Look for direct traffic to Maven Central from:

  • CI jobs

  • Container builds

  • SCA tools

  • SBOM generators

  • Dependency analysis tools

  • Security scanners

  • Data cluster provisioning

  • Developer machines

  • Vendor tools or automation

  • Legacy scripts or plugins

This is especially important when multiple systems share the same egress IP. From Maven Central's perspective, direct traffic from these systems may be grouped with repository manager traffic behind the same IP.

The following pages are written for 429 rate limit scenarios, but the guidance for identifying which tools are generating traffic applies equally here. If you are seeing a 403, the same investigation steps can help you find what is responsible.

What to include when contacting support⚓︎

We will ask for your egress IP first

The egress IP address (or IP range) that your traffic exits from is the first piece of information we need. Without it, there is very little we can do. We cannot look up block activity by organization name, project name, or account. We can only look up what Maven Central sees at the network edge, which means we need the specific IP or range involved.

Please do not contact support without this information — your ticket will be on hold until we have it.

If you believe the block is incorrect, or if you need help determining what is causing it, contact Central Support with as much detail as possible.

Include:

  • The blocked egress IP address or IP range

  • The exact error you are seeing, including the full error text

  • Which Maven Central endpoints are being accessed — repository download (repo1.maven.org, repo.maven.apache.org), search (search.maven.org), or publishing (central.sonatype.com)

  • Whether the traffic comes from builds, CI, scanners, containers, repository managers, data clusters, or other automation

  • Whether you use a repository manager

  • Whether the affected systems share egress with other teams, tenants, customers, or providers

  • Any recent changes to your tooling, build systems, scanners, infrastructure, or outbound network configuration

  • Any support case already opened with your cloud, CI, VPN, or infrastructure provider

Commercial Sonatype customers⚓︎

Commercial Sonatype support account

If you have a paid Sonatype support account as part of a Sonatype product license, please use it. Commercial support tickets are routed and prioritized separately from the general Central Support queue. See How do I create a standard request for product/technical support for how to open a ticket.

Contact us⚓︎

If you believe your IP was blocked in error, or you need help identifying the source of the traffic, contact Central Support.