Rate Limiting
What is it?
Rate limiting caps how many requests a client can make in a given time, protecting a service from overload and abuse.
Explain like I'm 5
Why was it created?
Without limits, a few heavy or malicious clients can overwhelm a service. Rate limiting was adopted to keep usage fair and systems stable.
Where is it used?
- Public APIs
- Login endpoints (abuse prevention)
- Protecting backends from spikes
- Fair usage across tenants
Why should developers care?
Most public APIs enforce rate limits, so developers both implement them and design clients that respect them.
How does it work?
The server counts each client's requests over a window and rejects or delays ones beyond the allowed rate, often replying with a 429 status. Common algorithms include token bucket and fixed/sliding windows.
Real-world example
An API allows 100 requests per minute per key; beyond that, it returns 429 Too Many Requests until the window resets.
Common use cases
- Preventing abuse and overload
- Fair sharing among users
- Protecting expensive endpoints
- Throttling at the gateway
Advantages
- Protects against overload
- Limits abuse
- Ensures fair usage
- Controls cost
Disadvantages
- Can frustrate legitimate users if too strict
- Needs tuning
- Distributed counting is tricky
- Clients must handle limits gracefully
When should you use it?
On any service exposed to clients you don't fully control, especially public APIs.
When should you avoid it?
For purely internal, trusted, low-volume calls where limits add little value.
Alternatives
Related terms
Interview questions
Beginner
- What is rate limiting?
- What status code signals too many requests?
Intermediate
- What is the token bucket algorithm?
- Why limit login attempts?
Senior
- How do you rate-limit across many servers consistently?
- How should clients handle 429 responses?
Common misconceptions
- "Rate limiting is only about security" — it's also about fairness, stability, and cost control.
- "A 429 means the server is broken" — it means you've hit the limit; back off and retry later.
Fun facts
- HTTP status 429 means 'Too Many Requests'.
- Token bucket and sliding window are two of the most common rate-limiting algorithms.
Timeline
- 2010s — Rate limiting becomes standard practice for public APIs
Learning resources
Quick summary
Rate limiting caps requests per client over time to prevent overload and abuse and keep usage fair, often returning HTTP 429 when exceeded.
Cheat sheet
- Caps requests per time window
- Protects from overload/abuse
- Returns HTTP 429 when exceeded
- Token bucket / sliding window