devucket
MongoDB

Designing a Rate Limiter

Learn how to design a rate limiter to protect APIs from abuse, covering token bucket, leaky bucket, and sliding window algorithms.

S

srikanthtelkalapally888@gmail.com

Designing a Rate Limiter

A rate limiter controls the number of requests a client can make to an API in a given time window.

Why Rate Limiting?

  • Prevent DDoS attacks
  • Ensure fair usage
  • Reduce infrastructure costs
  • Protect downstream services

Algorithms

Token Bucket

- Bucket holds N tokens
- Token added every T seconds
- Each request consumes 1 token
- Reject if bucket is empty

Leaky Bucket

- Requests queue up
- Processed at fixed rate
- Excess requests dropped

Sliding Window Counter

Divides time into small buckets, counts requests per rolling window.

Implementation with Redis

redis.INCR("rate:{user_id}:{timestamp_minute}")
redis.EXPIRE(key, 60)
if count > limit: reject()

Architecture

Client → API Gateway (Rate Limiter)
             ↓
           Redis
             ↓
       Microservices

Distributed Rate Limiting

For multi-region, use Redis Cluster and synchronize counters across nodes.

Conclusion

Rate limiters are critical for API stability. Token bucket is best for burst traffic, sliding window for precision.

Share this article

← Back to all articles