Rate Limiting — Grind: DSA, System Design, Interview Prep

Why Rate Limiting Exists

Rate limiting is not just a defensive measure — it's a first-class systems design concern that touches availability, fairness, cost control, and security simultaneously.

The four reasons you rate limit:

DDoS and abuse prevention — A single client sending 100,000 requests/second can saturate your backend. Even well-intentioned clients with buggy retry logic can create accidental DDoS.
Cost control — Every request costs compute, database reads, third-party API calls (OpenAI, payment processors). A single runaway script can generate thousands of dollars in cloud bills overnight.
Fairness — In a multi-tenant system, one power user consuming 90% of capacity degrades service for everyone else. Rate limits enforce equitable resource sharing.
SLA protection — Downstream services (payment gateways, SMS providers) have their own rate limits. Your rate limiter protects you from propagating failures upstream.

Real numbers:

GitHub: 5,000 requests/hour per authenticated user, 60/hour unauthenticated
Stripe: 100 requests/second per secret key (burst up to 200)
Twitter API v2: varies by tier, 500k tweets/month at basic
Cloudflare: rate limiting rules configurable to any threshold, enforced at edge

Algorithm 1: Fixed Window Counter

The simplest algorithm. Divide time into fixed windows (1 minute, 1 hour). Count requests in the current window. Reject if count exceeds limit.

Timeline (limit: 10 req/min):

Minute 1 [00:00 - 00:59]   |██████████░░| 10 requests — full
Minute 2 [01:00 - 01:59]   |░░░░░░░░░░░░| 0 requests — reset

async function isAllowed(clientId: string, limit: number): Promise<boolean> {
  const windowKey = `ratelimit:${clientId}:${Math.floor(Date.now() / 60000)}`;
  
  const count = await redis.incr(windowKey);
  
  if (count === 1) {
    // Set expiry only on first increment to avoid race condition
    await redis.expire(windowKey, 60);
  }
  
  return count <= limit;
}

The boundary burst problem (critical flaw):

Limit: 10 req/min

00:59 — client sends 10 requests  (window 1: count = 10, full)
01:00 — window resets
01:01 — client sends 10 more requests (window 2: count = 10)

In 2 seconds, the client sent 20 requests — 2x the limit
with zero rate limiting penalty.

This is the boundary burst: at every window boundary, an attacker can send 2× the limit. This is exploitable and means fixed window does not guarantee your stated limit.

When to use: Internal admin tools, low-stakes APIs, or when simplicity outweighs precision. Never use for security-critical rate limiting.

Space: O(1) per client (single counter). Time: O(1). Redis ops: 2 (INCR + EXPIRE on first request).

Algorithm 2: Sliding Window Log

Maintain a timestamped log of every request. On each request, remove entries older than the window, count remaining entries.

async function isAllowed(
  clientId: string, 
  limit: number, 
  windowMs: number
): Promise<boolean> {
  const now = Date.now();
  const windowStart = now - windowMs;
  const key = `ratelimit:log:${clientId}`;

  // Atomic Lua script: remove old entries, add current, count
  const count = await redis.eval(`
    local key = KEYS[1]
    local window_start = ARGV[1]
    local now = ARGV[2]
    local limit = tonumber(ARGV[3])
    local window_ms = tonumber(ARGV[4])
    
    -- Remove all entries older than window
    redis.call('ZREMRANGEBYSCORE', key, '-inf', window_start)
    
    -- Add current request with score = timestamp
    redis.call('ZADD', key, now, now)
    
    -- Set expiry
    redis.call('PEXPIRE', key, window_ms)
    
    -- Count requests in window
    return redis.call('ZCARD', key)
  `, 1, key, windowStart, now, limit, windowMs) as number;

  return count <= limit;
}

Accurate but memory-expensive:

1 client, 1000 req/min limit, each entry = 16 bytes:
  Per client: 1000 × 16 bytes = 16 KB
  At 1M clients: 16 GB RAM just for rate limit state

Compare to fixed window:
  Per client: 8 bytes (single integer)
  At 1M clients: 8 MB

When to use: When accuracy is paramount and client count is bounded. Suitable for per-user limits where you have <10K active users. Not viable for high-cardinality public APIs.

Algorithm 3: Sliding Window Counter (Approximation)

The clever middle ground. Uses two fixed windows and weights them by overlap with the current sliding window.

Window size: 60 seconds
Current time: 01:15 (i.e., 15 seconds into minute 1)
Previous window (00:00–00:59): 8 requests
Current window (01:00–01:59): 3 requests

Weight of previous window = (60 - 15) / 60 = 0.75

Approximate count = 8 × 0.75 + 3 × 1.0
                  = 6 + 3 = 9 requests in sliding window

async function isAllowed(
  clientId: string,
  limit: number,
  windowMs: number
): Promise<boolean> {
  const now = Date.now();
  const windowStart = Math.floor(now / windowMs) * windowMs;
  const prevWindowStart = windowStart - windowMs;
  
  const currentKey = `ratelimit:${clientId}:${windowStart}`;
  const prevKey = `ratelimit:${clientId}:${prevWindowStart}`;

  const [currentCount, prevCount] = await redis.mget(currentKey, prevKey);
  
  const current = parseInt(currentCount ?? '0');
  const prev = parseInt(prevCount ?? '0');
  
  // How far into the current window are we?
  const elapsed = now - windowStart;
  const prevWeight = (windowMs - elapsed) / windowMs;
  
  const approximateCount = prev * prevWeight + current;
  
  if (approximateCount >= limit) {
    return false;
  }

  // Increment current window
  await redis.multi()
    .incr(currentKey)
    .expire(currentKey, Math.ceil(windowMs / 1000) * 2)
    .exec();

  return true;
}

Error bound: This approximation assumes requests in the previous window were uniformly distributed — which is usually true at scale. The maximum error is <1% of the limit in practice (Cloudflare found this acceptable for their use case). Memory cost: O(2) per client — just two counters.

Used by: Cloudflare's rate limiting, Redis's own rate limiting documentation.

Algorithm 4: Token Bucket

The most widely used algorithm in production systems. Conceptually: a bucket holds tokens. Each request consumes one token. Tokens refill at a fixed rate. If the bucket is empty, reject the request.

Bucket capacity: 100 tokens
Refill rate:     10 tokens/second

t=0:    bucket = 100  (full)
t=0:    burst of 100 requests → bucket = 0
t=1:    10 tokens added → bucket = 10
t=1:    10 requests → bucket = 0
t=5:    50 tokens added → bucket = 50

Key insight: Token bucket allows bursting up to the bucket capacity. A client can send 100 requests instantly, then is throttled to 10/second. This is ideal for real-world clients that have bursty-but-bounded traffic.

interface TokenBucket {
  tokens: number;
  lastRefillTime: number;
}

class TokenBucketRateLimiter {
  constructor(
    private readonly redis: Redis,
    private readonly capacity: number,
    private readonly refillRatePerSecond: number
  ) {}

  async isAllowed(clientId: string): Promise<{ allowed: boolean; tokensRemaining: number }> {
    const key = `tokenbucket:${clientId}`;
    const now = Date.now();

    // Use Lua script for atomicity — read-modify-write must be atomic
    const result = await this.redis.eval(`
      local key = KEYS[1]
      local now = tonumber(ARGV[1])
      local capacity = tonumber(ARGV[2])
      local refill_rate = tonumber(ARGV[3])
      
      local bucket = redis.call('HMGET', key, 'tokens', 'last_refill')
      local tokens = tonumber(bucket[1]) or capacity
      local last_refill = tonumber(bucket[2]) or now
      
      -- Calculate tokens to add since last refill
      local elapsed_seconds = (now - last_refill) / 1000
      local tokens_to_add = elapsed_seconds * refill_rate
      tokens = math.min(capacity, tokens + tokens_to_add)
      
      local allowed = 0
      if tokens >= 1 then
        tokens = tokens - 1
        allowed = 1
      end
      
      redis.call('HMSET', key, 'tokens', tokens, 'last_refill', now)
      redis.call('EXPIRE', key, 3600)
      
      return {allowed, math.floor(tokens)}
    `, 1, key, now, this.capacity, this.refillRatePerSecond) as [number, number];

    return {
      allowed: result[0] === 1,
      tokensRemaining: result[1]
    };
  }
}

Properties:

Handles bursts (up to bucket capacity)
Smooth long-term rate (limited by refill rate)
O(1) space per client, O(1) time
1 Redis round-trip (Lua script atomic)

Used by: Stripe (they've written publicly about using token bucket), AWS API Gateway, many service meshes.

Algorithm 5: Leaky Bucket

A queue with a fixed-rate drain. Requests enter the queue; they exit (are processed) at a constant rate. If the queue is full, reject.

Queue (capacity 10):   [req1][req2][req3]...
Drain rate:            5 requests/second

Requests processed at exactly 5/sec, regardless of arrival pattern.

Key difference from token bucket: Token bucket allows variable processing rate (bursting). Leaky bucket enforces a perfectly constant output rate. No bursting.

Use case: Rate limiting outgoing calls to a downstream service with strict rate limits (SMS gateway, payment processor). You want to smooth out your request pattern, not just cap it.

Tradeoff: Queued requests add latency. Full queue = dropped requests without retrying from queue drain.

Algorithm Comparison

| Algorithm | Burst Handling | Memory | Accuracy | Complexity | |---|---|---|---|---| | Fixed Window | Allows 2× at boundary | O(1) | Low | Very low | | Sliding Window Log | Not allowed | O(n) requests | Exact | Medium | | Sliding Window Counter | Approximate smooth | O(1) | ~99% | Low | | Token Bucket | Allows bursts up to capacity | O(1) | Exact | Medium | | Leaky Bucket | No burst, constant output | O(n) queue | Exact | Medium |

Real company choices:

Stripe: Token bucket (public reference in their rate limiting blog post)
Cloudflare: Sliding window counter (efficient at 20+ trillion requests/day)
GitHub: Fixed window (simple, documented in API docs)
Nginx: Leaky bucket (limit_req module uses leaky bucket)
AWS API Gateway: Token bucket
Shopify: Leaky bucket (they've written about this publicly)

Distributed Rate Limiting with Redis

Single-server rate limiting is trivial. The hard problem is rate limiting across a fleet of API servers.

Naive Approach: Centralized Redis

All API servers talk to one Redis instance for rate limit state:

API Server 1 ──┐
API Server 2 ──┼──► Redis ──► rate limit state
API Server 3 ──┘

Works well for most use cases. Redis handles ~100K operations/second on a single node. At higher throughput, Redis can become a bottleneck.

Lua Scripts for Atomicity

Every rate limiting operation must be read-modify-write atomic. Non-atomic implementation:

// WRONG: Race condition
const count = await redis.get(key);          // Read
if (count < limit) {
  await redis.incr(key);                     // Write
  return true;                               // Two API servers can both pass this check
}

Two API servers executing concurrently both read count = 9 for a limit = 10, both pass, both increment → actual count becomes 11. Rate limit violated.

Fix: Redis Lua scripts run atomically (single-threaded Redis execution):

-- Atomic INCR + check
local key = KEYS[1]
local limit = tonumber(ARGV[1])
local window = tonumber(ARGV[2])

local count = redis.call('INCR', key)
if count == 1 then
  redis.call('EXPIRE', key, window)
end

if count > limit then
  return 0  -- rejected
else
  return 1  -- allowed
end

Sliding Window with Redis Sorted Sets

For exact sliding window, use a Redis sorted set with timestamp as score:

async function slidingWindowCheck(
  clientId: string,
  limit: number,
  windowMs: number
): Promise<boolean> {
  const key = `sw:${clientId}`;
  const now = Date.now();
  const windowStart = now - windowMs;
  
  // Pipeline: remove old, add current, count — executed server-side
  const pipeline = redis.pipeline();
  pipeline.zremrangebyscore(key, '-inf', windowStart);
  pipeline.zadd(key, now, `${now}-${Math.random()}`);  // unique member
  pipeline.zcard(key);
  pipeline.expire(key, Math.ceil(windowMs / 1000));
  
  const results = await pipeline.exec();
  const count = results[2][1] as number;
  
  return count <= limit;
}

Note: Redis pipeline is not atomic (commands can be interleaved with other clients). For exact correctness, use Lua script. Pipelines reduce round-trips but don't guarantee atomicity.

Local Cache + Periodic Sync (High Throughput)

At extreme scale (millions of RPS per service), even Redis becomes a bottleneck. Solution: synchronize rate limit state periodically rather than per-request.

class DistributedRateLimiter {
  private localTokens = new Map<string, number>();
  private syncInterval: ReturnType<typeof setInterval>;

  constructor(
    private redis: Redis,
    private capacity: number,
    private syncIntervalMs: number = 100
  ) {
    // Sync local state with Redis every 100ms
    this.syncInterval = setInterval(() => this.sync(), syncIntervalMs);
  }

  isAllowed(clientId: string): boolean {
    const tokens = this.localTokens.get(clientId) ?? this.capacity;
    if (tokens < 1) return false;
    this.localTokens.set(clientId, tokens - 1);
    return true;
  }

  private async sync(): Promise<void> {
    // For each client tracked locally, subtract consumed tokens from Redis
    for (const [clientId, localTokens] of this.localTokens.entries()) {
      const consumed = this.capacity - localTokens;
      if (consumed > 0) {
        // Atomic: subtract consumed, get remaining
        await redis.decrby(`tokens:${clientId}`, consumed);
        this.localTokens.delete(clientId);
      }
    }
  }
}

Trade-off: Allows small overages within the sync window (100ms × rate). For a 1000 req/s limit with 10 API servers and 100ms sync, worst case overage = 10 servers × 100ms × 1000/s = 1000 extra requests. Acceptable for most use cases.

Used by: Cloudflare's internal rate limiting at edge (they do local counting + periodic sync to reduce inter-datacenter coordination).

Rate Limit Headers

Communicate limit state to clients so they can self-throttle:

HTTP/1.1 200 OK
X-RateLimit-Limit: 1000
X-RateLimit-Remaining: 487
X-RateLimit-Reset: 1705315200     # Unix timestamp: when window resets
X-RateLimit-Policy: 1000;w=3600  # IETF draft: 1000 per 3600s window

# On 429:
HTTP/1.1 429 Too Many Requests
Retry-After: 47                   # Seconds until client should retry
X-RateLimit-Limit: 1000
X-RateLimit-Remaining: 0
X-RateLimit-Reset: 1705315200

IETF RateLimit Headers (draft-ietf-httpapi-ratelimit-headers):

RateLimit-Limit: 100
RateLimit-Remaining: 42
RateLimit-Reset: 30       # Seconds until reset (relative, not absolute)

This draft spec is gaining adoption (FastAPI has built-in support). Prefer this for new APIs.

429 response body should include machine-readable detail:

{
  "type": "https://api.example.com/errors/rate-limit-exceeded",
  "title": "Rate Limit Exceeded",
  "status": 429,
  "detail": "You have exceeded the 1000 requests/hour limit.",
  "retryAfter": 47,
  "limit": 1000,
  "window": "1 hour"
}

Where to Enforce Rate Limits

Internet ──► [Load Balancer] ──► [API Gateway] ──► [App Service] ──► [Database]
                  L4                  L7               App layer

Layer 4: Load Balancer (L4 — TCP/UDP)

Can enforce connection rate limits and bandwidth limits but cannot inspect HTTP content. Useful for blocking abusive IPs at the TCP level (SYN flood protection).

# nginx: limit connection rate from single IP
limit_conn_zone $binary_remote_addr zone=conn_limit:10m;
limit_conn conn_limit 20;  # max 20 concurrent connections per IP

Layer 7: API Gateway (L7 — HTTP)

The right layer for request rate limiting. Can inspect HTTP headers, paths, and authentication context. Apply per-path, per-method, per-API-key limits here.

Benefits: Centralised enforcement; app services don't need to implement it. Enforced before request reaches app logic (fail fast).

Application Layer

Necessary when rate limiting depends on business logic — e.g., "limit to 3 payment attempts per order" or "limit failed login attempts to 5 per account per 15 minutes." The API gateway doesn't have the business context to enforce these.

Rule: Enforce at the highest applicable layer. Only push to app layer when business logic is required.

Rate Limiting Granularity

| Granularity | Pros | Cons | Use Case | |---|---|---|---| | IP Address | No auth required, stops unauthenticated abuse | Shared IPs (NAT, corporate) can block many users | Unauthenticated endpoints, login rate limiting | | API Key | Identifies client application | Single key shared among users | Public APIs, partner integrations | | User Account | Fairest for multi-user clients | Requires authentication | Authenticated user actions | | Endpoint | Protects expensive operations specifically | Complex to manage many rules | /search, /export, AI inference endpoints | | Organisation/Tenant | Enforces business plan limits | Doesn't protect against single rogue user | SaaS tier limits |

Layered approach (recommended):

Request comes in:
1. IP-level: max 10,000 req/min per IP           (DDoS protection)
2. API key-level: max 1,000 req/min per key      (abuse protection)
3. User-level: max 100 req/min per user account  (fairness)
4. Endpoint-level: /search max 20 req/min        (expensive resource)

All four layers can fire. Client gets the most restrictive limit that applies.

Handling Distributed State: The Race Condition Problem

Two API servers, one Redis, limit = 10 req/min:

Server A reads count = 9 ──────────────────────────────┐
Server B reads count = 9 ──────────────────┐            │
Server B increments to 10, returns allowed  │            │
                                            ├──►  Both passed!
Server A increments to 10, returns allowed  │    Count is now 11

Solutions:

Lua scripts (shown above) — atomic at Redis level
Redis transactions (MULTI/EXEC) — optimistic locking, retry on conflict
Redis modules (RedisCell) — implements GCRA (Generic Cell Rate Algorithm) natively in Redis C module, extremely fast

# RedisCell: CL.THROTTLE key max_burst count_per_period period [quantity]
CL.THROTTLE clientId 100 10 1 1
#                      ^   ^  ^ ^
#              capacity|   |  | quantity to consume
#                   rate|  period (seconds)
#              (requests/period)

# Returns: [allowed(0=yes,1=no), total, remaining, retry_after_ms, reset_after_ms]

Rate Limiting Patterns for Specific Use Cases

// Different limits for different failure scenarios
async function checkLoginRateLimit(ip: string, username: string): Promise<void> {
  // Limit by IP: prevents credential stuffing
  const ipAllowed = await limiter.check(`login:ip:${ip}`, { limit: 20, window: '15m' });
  
  // Limit by username: prevents targeted brute force
  const userAllowed = await limiter.check(`login:user:${username}`, { limit: 5, window: '15m' });
  
  if (!ipAllowed || !userAllowed) {
    throw new RateLimitError('Too many login attempts. Try again in 15 minutes.');
  }
}

// On successful login: reset the per-user counter
await redis.del(`login:user:${username}`);

Exponential Backoff with Jitter (Client Side)

async function retryWithBackoff<T>(
  fn: () => Promise<T>,
  maxRetries = 5
): Promise<T> {
  for (let attempt = 0; attempt <= maxRetries; attempt++) {
    try {
      return await fn();
    } catch (error) {
      if (error instanceof RateLimitError && attempt < maxRetries) {
        const retryAfter = error.retryAfter ?? 0;
        
        // Exponential backoff with full jitter
        const backoff = Math.min(
          retryAfter * 1000 + Math.pow(2, attempt) * 1000,
          30000 // max 30 seconds
        );
        const jitter = Math.random() * backoff;
        
        await sleep(jitter);
        continue;
      }
      throw error;
    }
  }
  throw new Error('Max retries exceeded');
}

Full jitter (multiply by random) is preferred over additive jitter — it avoids thundering herd when many clients retry simultaneously after a rate limit reset.

Interview Checklist

Algorithm Fundamentals

[ ] Explain the fixed window counter. What is the boundary burst problem?
[ ] How does the sliding window log algorithm work? What is its memory complexity?
[ ] How does the sliding window counter approximate the sliding window? What is the max error?
[ ] Explain the token bucket algorithm. How does it handle bursts differently from leaky bucket?
[ ] Which algorithm does Stripe use? Which does Cloudflare use?

Distributed Implementation

[ ] Why must rate limit operations be atomic? Show the race condition
[ ] How do Redis Lua scripts solve the atomicity problem?
[ ] Design a rate limiter using Redis sorted sets for exact sliding window
[ ] How would you implement rate limiting for 10M RPS without Redis becoming a bottleneck?

Architecture

[ ] At what layer should you enforce rate limits? LB vs API gateway vs app?
[ ] Compare rate limiting by IP vs API key vs user account
[ ] How do you rate limit unauthenticated endpoints without API keys?
[ ] Design rate limiting for a login endpoint to prevent both credential stuffing and brute force

Client-Side

[ ] What headers should a rate-limited response include?
[ ] Implement exponential backoff with jitter. Why is jitter necessary?
[ ] A client receives Retry-After: 60. What should it do?

Senior-Level Design

[ ] Design the rate limiting system for Stripe's public API (100+ req/s per key, millions of keys)
[ ] How would you implement rate limiting at Cloudflare's scale (25M requests/second)?
[ ] How do you handle rate limiting when your service is behind a shared NAT?
[ ] Design a rate limiter that supports different limits per pricing tier (Free: 100/h, Pro: 10k/h, Enterprise: unlimited)