Rate limiting guide

Rate limiting is a technique used to control how many requests a user can make to your API within a specific time. It helps protect your API from abuse, ensures fair usage, and improves system stability.

What is Rate Limiting?

Rate limiting restricts the number of API requests.

Example:

100 requests per minute per user

If exceeded:

429 Too Many Requests

Why Rate Limiting is Important

Without rate limiting:

  • Servers can crash
  • APIs can be abused
  • Costs can increase
  • Unfair usage by a single user

With rate limiting:

  • Stable performance
  • Better user experience
  • Controlled usage
  • Protects server resources

Common Rate Limiting Types

1. Fixed Window

Limit requests in a fixed time window.

Example:

100 requests per minute

Simple but can cause spikes.

2. Sliding Window

Tracks requests over a rolling time window.

Better accuracy:

Last 60 seconds → max 100 requests

3. Token Bucket

Users get tokens to make requests.

Example:

Bucket size: 100

Refill: 10 tokens/sec

Smooth traffic handling

4. Leaky Bucket

Requests are processed at a fixed rate.

Good for:

  • Traffic shaping
  • Preventing bursts

How Rate Limiting Works

Flow:

Request → Check limit → Allow / Block → Respond

Implementation Example (Node.js)

Basic Rate Limiter

const rateLimit = require('express-rate-limit');

const limiter = rateLimit({
  windowMs: 60 * 1000, // 1 minute
  max: 100, // limit each IP
  message: "Too many requests"
});

app.use('/api/', limiter);

API Response Headers (Important)

Send headers to inform users:

X-RateLimit-Limit: 100
X-RateLimit-Remaining: 80

X-RateLimit-Reset: 60

Best Practices

  • Apply limits per:
    • API key
    • IP address
  • Use distributed storage (Redis)
  • Return proper error message
  • Log blocked requests
  • Combine with authentication

Common Mistakes

  • No rate limiting at all
  • Same limit for all users
  • Not informing users about limits
  • Blocking legitimate users

When to Use Rate Limiting

Always use when:

  • Public APIs
  • High traffic systems
  • Paid APIs

Integration with API Monetization

Rate limiting plays a key role in API monetization:

  • Free tier → strict limits
  • Paid users → higher limits
  • Enterprise → custom limits

Works perfectly with Stripe billing

Example Response (Limit Exceeded)

{
"error": "Too many requests",
"retry_after": 60
}
Post Views: 246
APITier Blog

Categories

Recent Posts

All Tags
address agents ai ap-key api api-benefits api-design api-guide api-key api-security api-testing authorization cloud-api cloud-design commands comparison git graphql HATEOAS how-to java javascript json location map mcp nodejs postcode-format python rest-api screenshot source-code tech-stack user-agent validate-email-api VAT vat_number web-to-pdf web-to-text webscrape web scraping API what-is
Recent Post
Convert Any URL or HTML to PDF Instantly with APITier
Convert Any URL or HTML to PDF
  • April 30, 2026
  • 2 min read
UK address autocomplete API: UX patterns and implementation guide
UK address autocomplete API: UX patterns and
  • April 28, 2026
  • 4 min read
APITier MCP server: UK address and verification tools inside Claude
APITier MCP server: UK address and verification
  • April 28, 2026
  • 5 min read

Related Posts

UK address autocomplete API: UX patterns and implementation guide
API Featured Post UK PostCode API
UK address autocomplete API: UX patterns and implementation guide
APITier MCP server: UK address and verification tools inside Claude
Agents API Featured Post UK PostCode API Verification API
APITier MCP server: UK address and verification tools inside Claude
API Verification API
HMRC VAT API v1 is dead — here’s what UK developers should use instead
API Guides UK PostCode API
UK postcode to LSOA, MSOA and LAD: the complete API mapping guide
APITIER
AGENT APIS
SOLUTIONS
REST APIS
DEVELOPERS
COMPANY
© 2026 APITier. All rights reserved.