Rate Limiting Strategies for APIs

Why Rate Limit?

If you expose a public API, it will be abused. A competitor might scrape your entire database. A hacker might run a script attempting 10,000 passwords a second against your login endpoint. A buggy client application might get caught in an infinite loop and accidentally DDoS your server. Rate limiting is mandatory for survival.

The Token Bucket Algorithm

This is the most common and elegant rate-limiting algorithm. Imagine a bucket that holds 100 tokens. Every time a user makes an API request, a token is removed from the bucket. If the bucket is empty, the request is rejected with a 429 Too Many Requests error. At the same time, the bucket is being constantly refilled at a set rate (e.g., 10 tokens per second). This allows for short bursts of traffic while enforcing a long-term average limit.

Implementation via Redis

Rate limiting cannot be stored in the application's memory if you are running multiple server instances (Node A won't know how many requests Node B processed). You must use a centralized, blazing-fast datastore like Redis. Using Redis, you can implement a "Fixed Window Counter" by incrementing a key (e.g., rate_limit:user_id:123:minute_45) and setting it to expire after 60 seconds.