Architecture Intermediate
Throttling and Rate Limiting¶
ThrottlingRate LimitingAPI 3 min read
Rate limiting implementation to protect APIs. Token bucket, sliding window and HTTP headers.
Algorithms¶
Token Bucket: Tokens are replenished at a constant rate. Sliding Window: Counts requests within a sliding time window.
// Redis sliding window rate limiter
async function rateLimit(clientId, limit = 100, windowSec = 60) {
const key = \`rl:\${clientId}\`;
const now = Date.now();
const pipe = redis.pipeline();
pipe.zremrangebyscore(key, 0, now - windowSec * 1000);
pipe.zadd(key, now, \`\${now}-\${Math.random()}\`);
pipe.zcard(key);
pipe.expire(key, windowSec);
const results = await pipe.exec();
const count = results[2][1];
return { allowed: count <= limit, remaining: Math.max(0, limit - count) };
}
HTTP Headers¶
X-RateLimit-Limit: 100
X-RateLimit-Remaining: 42
X-RateLimit-Reset: 1708900000
Retry-After: 30 # on 429
Summary¶
Rate limiting is a necessity for every public API. Inform clients via HTTP headers.
Need Help with Implementation?¶
Our team has experience designing and implementing modern architectures. We’re happy to help.