backendAdvanced API Features

Rate limiting

Don't let your API get abused

Last updated: 3/8/2025

1 hour
Medium

Introduction

Rate limiting is a critical feature in API development, designed to control the number of requests a user or system can make within a certain time frame. It prevents abuse, ensures fair usage, and helps maintain overall service reliability and performance.

Importance of Rate Limiting

  • Protects APIs from overload and denial-of-service (DoS) attacks.
  • Ensures equitable resource distribution among users.
  • Prevents unintentional misuse and excessive consumption of resources.

How Rate Limiting Works

Rate limiting restricts the number of requests allowed from a specific entity (such as an IP address, a user account, or an API key) within a defined timeframe. When the limit is reached, additional requests are either temporarily blocked or delayed until the rate limit resets.

Types of Rate Limiting

  • IP-based Rate Limiting: Limits requests based on the IP address of the client, suitable for public APIs where users are anonymous.
  • User-based Rate Limiting: Limits requests based on authenticated user accounts, ideal for APIs that require authentication.
  • API Key-based Rate Limiting: Limits requests according to specific API keys, useful for managing third-party integrations and services.

Common Algorithms

  • Token Bucket Algorithm:

    • Tokens are generated at a fixed rate.
    • Requests consume tokens; if no tokens are available, the request is denied or delayed.

  • Leaky Bucket Algorithm:

    • Requests enter a "bucket" at varying rates.
    • Requests leak out of the bucket at a constant rate.
    • Excess requests are discarded when the bucket is full.

Practical Implementation

Example using middleware (Node.js/Express) with IP-based limiting:

const rateLimit = require('express-rate-limit');

const limiter = rateLimit({
  windowMs: 15 * 60 * 1000, // 15 minutes
  max: 100, // Limit each IP to 100 requests per window
  message: "Too many requests from this IP, please try again later."
});

app.use('/api/', limiter);

Communicating Rate Limits

  • Use clear HTTP response status codes (e.g., 429 Too Many Requests).
  • Provide informative messages and headers about current limits and reset times.

Example HTTP headers:

X-RateLimit-Limit: 100
X-RateLimit-Remaining: 75
X-RateLimit-Reset: 1609459200

Best Practices

  • Clearly document rate-limiting policies and limits.
  • Provide meaningful and actionable error messages.
  • Adjust rate limits based on usage patterns and feedback.
  • Consider tiered or differentiated rate limits for different types of users.