3 min read
API Design Rate Limiting Throttling System Design Scalability Backend Development Architecture Redis

API Rate Limiting and Throttling Strategies

Why Limit API Traffic?

Rate limiting and throttling are essential for maintaining the stability, security, and fairness of an API. They prevent single users from monopolizing system resources, protect against brute-force attacks, and help manage operational costs.

  • Rate Limiting: Hard limits on the number of requests in a window (e.g., 100 requests per minute).
  • Throttling: The smoothing or slowing down of requests when a threshold is met (e.g., introducing a delay rather than an immediate error).

Core Algorithms

1. Token Bucket

  • Mechanism: A bucket holds a maximum number of tokens. Tokens are added at a fixed rate. Each request costs one token.
  • Benefit: Allows for “bursts” of traffic up to the bucket size, but maintains a consistent average rate.

2. Leaky Bucket

  • Mechanism: Requests enter a bucket (queue) and “leak” out (are processed) at a constant rate. If the bucket overflows, new requests are dropped.
  • Benefit: Enforces a strict, steady processing rate, smoothing out bursts entirely.

3. Fixed Window Counter

  • Mechanism: Tracks requests within a fixed time window (e.g., 00:01 to 00:02).
  • Cons: Can allow double the traffic at the edges of the window (the “boundary problem”).

4. Sliding Window Log / Counter

  • Mechanism: Tracks the exact timestamp of each request or maintains weighted counts of previous windows.
  • Benefit: Solves the boundary problem of fixed windows at the cost of more memory/processing.

Implementation Points

  • API Gateway (Edge): Best for global limits and protecting the entire ecosystem. (e.g., AWS API Gateway, NGINX, Kong).
  • Application Middleware: Best for fine-grained, business-logic-aware limiting (e.g., limits based on specific user IDs or API keys in .NET/Node.js).
  • Client-Side: A polite way to avoid hitting server limits, but cannot be trusted for security.

Practice Exercise

Design a multi-tenant rate-limiting strategy that differentiates between “Free” and “Premium” users.

Answer

The Strategy: Distributed Token Bucket with Redis

Using a distributed cache like Redis is critical for load-balanced systems to ensure consistent limiting across all server nodes.

1. The Design Components

  • Identifier: API_Key or User_ID.
  • Policy Store: A database or config service containing limits (e.g., Free = 100/hr, Pro = 10,000/hr).
  • State Store (Redis): Stores the current token count and last refill timestamp for each identifier.
  • Middleware: Intercepts every incoming HTTP request.

2. The Logic Flow

  1. Extract Identity: Extract the API Key from the Authorization header.
  2. Fetch Rule: Check the cache or local memory for the identity’s limit (e.g., 5 requests per second).
  3. Check Redis: Execute a Lua script in Redis to calculate tokens:
    • RefillTokens = (CurrentStep - LastUpdate) * RefillRate
    • CurrentTokens = min(MaxTokens, CurrentTokens + RefillTokens)
  4. Decide:
    • If CurrentTokens >= 1: Allow request, decrement Redis count, and return headers (X-RateLimit-Remaining).
    • If CurrentTokens < 1: Return 429 Too Many Requests with a Retry-After header.

3. Why This Works

  • Precision: Lua scripts in Redis ensure atomicity (no race conditions between two parallel requests).
  • Scalability: By offloading the state to Redis, any server instance can accurately enforce the limit.
  • Fairness: Premium users are guaranteed more bandwidth, while the system remains protected from “noisy neighbor” effects in the free tier.

Continue Reading

Advanced Authentication & Authorization

Go beyond simple RBAC. Master complex identity scenarios like claims transformation, custom authorization policies with requirements and handlers, and federated identity.

Advanced Database Indexing Strategies

Master performance tuning with covering indexes, filtered indexes, and columnstore indexes. Learn how to eliminate Key Lookups and fix index fragmentation.