100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace
Web

Rate Limiting

IntermediateTechnique8.4K learners

Rate limiting is a technique for controlling the number of requests a client can make to a service within a given time window, used to protect systems from overload, abuse, and unfair resource consumption.

Definition

Rate limiting is a technique for controlling the number of requests a client can make to a service within a given time window, used to protect systems from overload, abuse, and unfair resource consumption.

Overview

Rate limiting enforces a cap on request volume — for example, 100 requests per minute per API key — and rejects or delays requests once that cap is exceeded, usually returning an HTTP 429 'Too Many Requests' response. It is commonly enforced at an API Gateway or Load Balancer so the limit is applied consistently before traffic ever reaches backend services. Several algorithms are used in practice. The token bucket and leaky bucket algorithms smooth out bursts of traffic over time, allowing some burstiness while enforcing an average rate. Fixed-window counters are simple but can allow bursts at window boundaries, while sliding-window approaches correct for that at the cost of slightly more bookkeeping. The right choice depends on how tolerant the system is of short bursts versus needing a strictly even request rate. Rate limiting serves several purposes at once: protecting infrastructure from being overwhelmed (including as a defense against DDoS Attack traffic), ensuring fair usage across many tenants of a shared API, and enforcing business rules like free-tier quotas on a paid API product. It's a close cousin of the Circuit Breaker Pattern — both protect system health under stress — but rate limiting caps client-driven demand proactively, while a circuit breaker reacts to observed downstream failures.

Key Concepts

  • Caps request volume per client, API key, IP address, or user within a time window
  • Common algorithms: token bucket, leaky bucket, fixed window, and sliding window
  • Typically enforced at the API gateway or load balancer layer
  • Returns HTTP 429 responses with retry guidance when limits are exceeded
  • Protects backend services from overload and abuse
  • Enables tiered usage plans (e.g., free vs. paid API quotas)
  • Helps mitigate certain classes of denial-of-service traffic

Use Cases

Public APIs enforcing free-tier and paid-tier usage quotas
Login endpoints throttling repeated attempts to slow brute-force attacks
Protecting backend services from traffic spikes or abusive clients
Third-party integrations respecting a partner API's documented rate limits
Multi-tenant SaaS platforms ensuring fair resource usage across customers
Search or autocomplete endpoints limiting expensive query volume

Frequently Asked Questions