Rate limiting guide

Rate limiting is a technique used to control how many requests a user can make to your API within a specific time. It helps protect your API from abuse, ensures fair usage, and improves system stability.

What is Rate Limiting?

Rate limiting restricts the number of API requests.

Example:

100 requests per minute per user

If exceeded:

429 Too Many Requests

Why Rate Limiting is Important

Without rate limiting:

• Servers can crash
• APIs can be abused
• Costs can increase
• Unfair usage by a single user

With rate limiting:

• Stable performance
• Better user experience
• Controlled usage
• Protects server resources

Common Rate Limiting Types

1. Fixed Window

Limit requests in a fixed time window.

Example:

100 requests per minute

Simple but can cause spikes.

2. Sliding Window

Tracks requests over a rolling time window.

Better accuracy:

Last 60 seconds → max 100 requests

3. Token Bucket

Users get tokens to make requests.

Example:

Bucket size: 100

Refill: 10 tokens/sec

Smooth traffic handling

4. Leaky Bucket

Requests are processed at a fixed rate.

Good for:

• Traffic shaping
• Preventing bursts

How Rate Limiting Works

Flow:

Request → Check limit → Allow / Block → Respond

Implementation Example (Node.js)

Basic Rate Limiter

const rateLimit = require('express-rate-limit');

const limiter = rateLimit({
  windowMs: 60 * 1000, // 1 minute
  max: 100, // limit each IP
  message: "Too many requests"
});

app.use('/api/', limiter);

API Response Headers (Important)

Send headers to inform users:

X-RateLimit-Limit: 100
X-RateLimit-Remaining: 80

X-RateLimit-Reset: 60

Best Practices

• Apply limits per:
  • API key
  • IP address
• Use distributed storage (Redis)
• Return proper error message
• Log blocked requests
• Combine with authentication

Common Mistakes

• No rate limiting at all
• Same limit for all users
• Not informing users about limits
• Blocking legitimate users

When to Use Rate Limiting

Always use when:

• Public APIs
• High traffic systems
• Paid APIs

Integration with API Monetization

Rate limiting plays a key role in API monetization:

• Free tier → strict limits
• Paid users → higher limits
• Enterprise → custom limits

Works perfectly with Stripe billing

Example Response (Limit Exceeded)

{
"error": "Too many requests",
"retry_after": 60
}