---
component: provenance-governor
version: "1.7"
slug: provenance-governor/app-config-external-apis
canonical_url: "https://docs.gradle.com/develocity/provenance-governor/1.7/app-config-external-apis/"
title: "External API Configuration"
description: "Guide to configuring retry, concurrency, and resilience for external API communication in Develocity Provenance Governor."
keywords:
- "supply chain"
- "configuration"
- "API"
status: current
---
# External API Configuration
Develocity Provenance Governor communicates with two external APIs to generate dependency insights during Policy Scan™ evaluations:
* **OSV** (Open Source Vulnerabilities) — vulnerability data from [osv.dev](https://osv.dev)
* **OSI** (Open Source Insights) — package metadata, licenses, and version history from [deps.dev](https://deps.dev)
Both clients support configurable retry with exponential backoff, concurrency limits, and graceful degradation when retries are exhausted. All properties are optional — sensible defaults are applied when omitted.
## OSV Properties
| Property | Type | Default | Description |
| --- | --- | --- | --- |
| osv.retries.attempts | int | 3 | Maximum number of retry attempts for transient failures. |
| osv.retries.min-backoff | duration | 1s | Minimum backoff duration between retries (exponential backoff). |
| osv.batch-size | int | 1000 | Maximum queries per OSV batch call. Hard-capped at 1000 (OSV API limit); values above 1000 are clamped with a warning. |
| osv.max-concurrency | int | 20 | Maximum concurrent OSV requests for batch and detail fetching. |
| osv.base-url | string | https://api.osv.dev | Base URL of the OSV API. |
| osv.max-in-memory-size | data size | 10000KB | Maximum in-memory buffer size for response decoding. Value is a number followed by a unit: B (bytes), KB (kilobytes), MB (megabytes), GB (gigabytes), or TB (terabytes). For example, 10000KB and 10MB are roughly equivalent. |
## OSI Properties
| Property | Type | Default | Description |
| --- | --- | --- | --- |
| osi.retries.attempts | int | 3 | Maximum number of retry attempts for transient failures. |
| osi.retries.min-backoff | duration | 1s | Minimum backoff duration between retries (exponential backoff). |
| osi.max-concurrency | int | 10 | Maximum concurrent OSI requests. Reduced from a previous default of 20 to lower the risk of triggering rate limits. |
| osi.base-url | string | https://api.deps.dev | Base URL of the OSI API. |
| osi.max-in-memory-size | data size | 10000KB | Maximum in-memory buffer size for response decoding. Value is a number followed by a unit: B (bytes), KB (kilobytes), MB (megabytes), GB (gigabytes), or TB (terabytes). For example, 10000KB and 10MB are roughly equivalent. |
## Retry Behavior
Transient failures are automatically retried with exponential backoff. The following error types are classified as retryable:
* HTTP 5xx server errors
* HTTP 429 Too Many Requests
* Network-level errors (I/O exceptions, channel errors)
When all retries are exhausted:
* **Vulnerability lookups** — the affected vulnerability is silently omitted from the report.
* **Package metadata lookups** — the package is treated as if the OSI API returned no data.
This ensures that a single flaky API call does not fail an entire scan.
## Configuration Example
```yaml
osv:
retries:
attempts: 3
min-backoff: 1s
batch-size: 1000
max-concurrency: 20
osi:
retries:
attempts: 3
min-backoff: 1s
max-concurrency: 10
```
## Tuning for Rate-Limited Environments
If you observe frequent retry exhaustion in logs, consider:
* **Reducing `max-concurrency`** — lowers burst pressure on the external API (e.g., `osi.max-concurrency: 5`).
* **Increasing `min-backoff`** — gives the external API more time to recover between retries.
* **Reducing `osv.batch-size`** — sends smaller batches to the OSV API if large batches trigger rate limiting.