patternModeratepending
API rate limiting implementation strategies
Viewed 0 times
rate limitingtoken bucketthrottling429api protection
Problem
Need to protect APIs from abuse and ensure fair usage through rate limiting.
Solution
Rate limiting algorithms and implementation:
HTTP response headers:
Return 429 Too Many Requests when limit exceeded.
ALGORITHMS:
1. FIXED WINDOW
- Count requests per time window (e.g., 100/minute)
- Simple but allows burst at window boundaries
- At 0:59: 100 requests, at 1:01: 100 more = 200 in 2s
2. SLIDING WINDOW
- Weighted count across current and previous window
- Smoother than fixed window
- Slightly more complex
3. TOKEN BUCKET (recommended for most cases)
- Bucket holds N tokens, refills at rate R
- Each request consumes 1 token
- Allows bursts up to bucket size
- Steady-state rate = refill rate
4. LEAKY BUCKET
- Requests queue up, processed at fixed rate
- Smoothest output, no bursts allowed
- Good for APIs calling external services# Token bucket with Redis
import redis
import time
def check_rate_limit(redis_client, key, max_tokens, refill_rate, refill_interval=1):
"""Token bucket rate limiter."""
pipe = redis_client.pipeline()
now = time.time()
# Get current state
pipe.hgetall(key)
result = pipe.execute()[0]
tokens = float(result.get(b'tokens', max_tokens))
last_refill = float(result.get(b'last_refill', now))
# Refill tokens
elapsed = now - last_refill
tokens = min(max_tokens, tokens + elapsed * refill_rate / refill_interval)
if tokens >= 1:
tokens -= 1
allowed = True
else:
allowed = False
# Update state
pipe.hset(key, mapping={'tokens': tokens, 'last_refill': now})
pipe.expire(key, refill_interval * 10)
pipe.execute()
return allowed, int(tokens)HTTP response headers:
X-RateLimit-Limit: 100
X-RateLimit-Remaining: 42
X-RateLimit-Reset: 1609459200
Retry-After: 30Return 429 Too Many Requests when limit exceeded.
Why
Rate limiting protects against abuse, ensures fair access, and prevents cascade failures. Token bucket is the most flexible algorithm, allowing bursts while maintaining average rate.
Context
API design and protection
Revisions (0)
No revisions yet.