Rate Limiting

Rate limiting protects your API from abuse and ensures fair usage. Let's learn how to implement it effectively.

Why Rate Limit?

Prevent abuse: Stop malicious actors from overwhelming your API
Ensure fairness: Prevent one client from monopolizing resources
Reduce costs: Control infrastructure spending
Improve reliability: Maintain performance for all users

Rate Limiting Concepts

Requests Per Time Window

100 requests per minute
1000 requests per hour
10000 requests per day

Rate Limit Headers

Standard headers to communicate limits:

HTTP/1.1 200 OK
X-RateLimit-Limit: 100
X-RateLimit-Remaining: 95
X-RateLimit-Reset: 1704067200

Header	Description
`X-RateLimit-Limit`	Maximum requests allowed
`X-RateLimit-Remaining`	Requests remaining
`X-RateLimit-Reset`	When the limit resets (Unix timestamp)

429 Too Many Requests

HTTP/1.1 429 Too Many Requests
Retry-After: 60
X-RateLimit-Limit: 100
X-RateLimit-Remaining: 0
X-RateLimit-Reset: 1704067200

{
  "error": {
    "code": "RATE_LIMIT_EXCEEDED",
    "message": "Too many requests. Please retry after 60 seconds."
  }
}

Rate Limiting Algorithms

Fixed Window

Count requests in fixed time windows (e.g., per minute).

[12:00-12:01] 100 requests allowed
[12:01-12:02] 100 requests allowed

Problem: Burst at window boundaries (200 requests in 2 seconds across boundary).

Sliding Window

Smooth the fixed window by considering partial windows.

Token Bucket

Tokens regenerate over time; each request consumes a token.

Leaky Bucket

Requests queue and process at a fixed rate.

Exercise: Rate Limiter

Loading JavaScript Exercise...

Rate Limit Tiers

Different limits for different users:

const limits = {
  free: { requests: 100, window: '1h' },
  basic: { requests: 1000, window: '1h' },
  pro: { requests: 10000, window: '1h' },
  enterprise: { requests: 100000, window: '1h' }
};

Best Practices

1. Be Transparent

Always include rate limit headers in responses.

2. Provide Retry-After

Tell clients when they can retry:

Retry-After: 60

3. Different Limits for Different Endpoints

GET /api/users: 100/min
POST /api/users: 10/min
GET /api/search: 30/min

4. Allow Bursts

Token bucket allows short bursts while maintaining average rate.

5. Document Your Limits

## Rate Limits

| Plan | Requests/hour |
|------|---------------|
| Free | 100 |
| Pro | 10,000 |

Summary

Rate limiting protects your API by:

Limiting requests per time window
Communicating limits via headers
Returning 429 when exceeded
Supporting different tiers