Rate Limiting in API Design

In this issue, we’ll explore the importance of rate limiting, common strategies used in API design, and implementation examples in Node.js using Express and Redis.

Hello “👋

Welcome to another week, another opportunity to become a Great Backend Engineer.

Today’s issue is brought to you by Masteringbackend → A great resource for backend engineers. We offer next-level backend engineering training and exclusive resources.

Before we get started, I have a few announcements:

I have a special gift for you: You will love this one.

The ultimate “Land Your Dream Job” Challenge is here.

We are launching the ultimate guide to land your dream job in any programming language you choose. We are starting with the Python Programming language.

Land your dream Python Job in 90 days by shipping 30 Python projects in 30 days by completing our daily tasks.

It’s a cohort-based and project-focused challenge where you will be challenged to build 30 Python projects in 30 days.

Here are what you will get:

  • Ship 30+ Python backend projects in 30 days.

  • Instant Access to all 30+ videos

  • Access to data structure and algorithm interview kits.

  • Access our Complete Backend Job Preparation kits (Resume, Cover letter reviews, mock interviews, and job placements).

  • Join & learn from a thriving community of helpful students & alumni from top companies.

Limited Access. The first 500 students will be at $54, others at $100 (We have only 320 slots left.)

In our previous issue on Pagination in API Design, we explored the role of pagination in API design, compared different pagination strategies, and provided detailed implementation examples.

In this issue, we’ll explore the importance of rate limiting, common strategies used in API design, and implementation examples in Node.js using Express and Redis.

As APIs become the backbone of modern applications, it is crucial to ensure their stability and prevent abuse. One of the most effective ways to achieve this is rate limiting, a strategy that controls the number of API requests a client can make within a given timeframe.

Rate limiting is key in managing resource allocation, preventing system overload, and ensuring fair access to resources for all consumers.

Why Rate Limiting Matters in API Design

Without rate limiting, APIs are vulnerable to excessive requests, which can lead to:

  • System Overload – High traffic can exhaust server resources, causing slow responses or outages.

  • Denial-of-Service (DoS) Attacks: Malicious users or bots can flood the API with requests, disrupting service for legitimate users.

  • Fair Usage Enforcement – Prevents a single client from consuming disproportionate resources.

  • Cost Control – APIs with pay-per-use models must enforce limits to avoid excessive cloud costs.

By enforcing rate limits, APIs maintain performance, security, and equitable access for all users.

Common Rate Limiting Strategies

Rate limiting is typically implemented using one of the following techniques:

Fixed Window Rate Limiting

This is a simple approach in which requests are counted within a fixed time window (e.g., 100 requests per minute). Once the limit is exceeded, further requests are blocked until the next time window starts.

Example: A user can make 100 requests per minute. If they exceed this limit at 30 seconds, they must wait until the next minute to make more requests.

This strategy is good for Simplicity and predictable enforcement.

Sliding Window Rate Limiting

Instead of resetting limits at fixed intervals, this approach considers a rolling timeframe. More accurate and smooth enforcement compared to fixed window limiting.

Example: If a limit of 100 requests per minute is set, requests are checked within the last 60 seconds at any given moment.

This strategy is good for APIs with dynamic user activity.

Token Bucket Algorithm

Each client is given a bucket with tokens representing API requests. Every request consumes a token; tokens are replenished at a fixed rate. If the bucket is empty, requests are denied until more tokens are added.

Example: A client gets 10 tokens per second. If they make 50 requests in one second, they must wait for tokens to replenish.

This rate-limiting strategy is good for APIs that need a burst tolerance while enforcing limits.

Leaky Bucket Algorithm

It is similar to the token bucket but enforces a steady request rate. Requests are processed at a fixed rate, and excess requests are queued. This strategy is good for APIs requiring smooth request flow without sudden bursts.

Rate Limiting by User or IP Address

Limits requests based on user authentication tokens or IP addresses. Ensures that individual clients do not abuse the API. This strategy is good for Multi-user environments where fairness is important.

Implementing Rate Limiting in Node.js with Express & Redis

One of the best ways to implement rate limiting efficiently is by using Redis, a fast in-memory datastore, alongside Express.js.

Step 1: Install Dependencies

npm install express rate-limit ioredis express-rate-limit-redis

Step 2: Set Up Express and Redis

const express = require('express');
const rateLimit = require('express-rate-limit');
const RedisStore = require('rate-limit-redis');
const { createClient } = require('ioredis');

const app = express();
const redisClient = createClient({ host: 'localhost', port: 6379 });

const limiter = rateLimit({
    store: new RedisStore({
        sendCommand: (...args) => redisClient.call(...args),
    }),
    windowMs: 1 * 60 * 1000, // 1 minute
    max: 100, // Limit each IP to 100 requests per minute
    message: 'Too many requests, please try again later.',
});

app.use('/api', limiter);

app.get('/api/data', (req, res) => {
    res.json({ message: 'Success! You are within the rate limit.' });
});

app.listen(3000, () => console.log('Server running on port 3000'));

How This Works

  • A rate limit of 100 requests per minute is enforced.

  • If a user exceeds this limit, they receive a 429 Too Many Requests response.

  • Redis is used to store request counts for each client, ensuring efficiency and scalability.

Best Practices for Rate Limiting

  1. Use Adaptive Rate Limits – Adjust limits based on user behavior (e.g., stricter limits for anonymous users, relaxed limits for authenticated users).

  2. Implement API Key-Based Limits – Assign different limits based on API usage tiers (free vs. premium users).

  3. Use Headers to Inform Clients – Return headers like X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-Reset to help clients manage requests.

  4. Combine Rate Limiting with Other Security Measures – Use it alongside authentication, logging, and monitoring to enhance security.

  5. Monitor and Analyze Requests – Store rate limit logs to detect patterns of abuse and adjust policies dynamically.

Conclusion

Rate limiting is essential to API design, ensuring fairness, security, and system stability. By implementing fixed window, sliding window, token bucket, or leaky bucket strategies, APIs can effectively manage load and prevent abuse.

Using tools like Express and Redis, backend engineers can enforce rate limits efficiently while providing a smooth experience for legitimate users. Thoughtful design and best practices help maintain high availability and performance.

Did you learn any new things from this newsletter this week? Please reply to this email and let me know. Feedback like this encourages me to keep going.

Remember to start learning backend engineering from our courses:

Get a 50% discount on any of these courses. Reach out to me (Reply to this mail)

Backend Engineering Resources

Whenever you're ready

There are 4 ways I can help you become a great backend engineer:

1. The MB Platform: Join 1000+ backend engineers learning backend engineering on the MB platform. Build real-world backend projects, track your learnings and set schedules, learn from expert-vetted courses and roadmaps, and solve backend engineering tasks, exercises, and challenges.

2. The MB Academy:​ The “MB Academy” is a 6-month intensive Advanced Backend Engineering BootCamp to produce great backend engineers.

3. MB Video-Based Courses: Join 1000+ backend engineers who learn from our meticulously crafted courses designed to empower you with the knowledge and skills you need to excel in backend development.

4. GetBackendJobs: Access 1000+ tailored backend engineering jobs, manage and track all your job applications, create a job streak, and never miss applying. Lastly, you can hire backend engineers anywhere in the world.

LAST WORD 👋 

How am I doing?

I love hearing from readers, and I'm always looking for feedback. How am I doing with The Backend Weekly? Is there anything you'd like to see more or less of? Which aspects of the newsletter do you enjoy the most?

Hit reply and say hello - I'd love to hear from you!

Stay awesome,
Solomon

I moved my newsletter from Substack to Beehiiv, and it's been an amazing journey. Start yours here.

Reply

or to participate.