What is API Rate Limiting?

API Rate Limiting restricts how many requests a user/IP can make in a time window. Common rules: "100 requests per minute" or "1000 requests per hour." Prevents abuse (DDoS, scraping), protects infrastructure, and enforces pricing tiers (free tier: 100 req/day, paid: unlimited). Return 429 "Too Many Requests" when limit exceeded. Essential for public APIs. Common algorithms: Token Bucket, Leaky Bucket, Fixed Window.

When Should You Use This?

Implement rate limiting for all public APIs, when you have free/paid tiers (enforce limits), to prevent abuse/scraping, or to protect infrastructure from overload. Even internal APIs benefit from rate limiting (buggy code can't take down the system). Use CDN/API gateway rate limiting (Cloudflare, AWS API Gateway) before rolling your own.

Common Mistakes to Avoid

• •No rate limiting—APIs get abused, scraped, or DDoSed
• •Too restrictive—legitimate users hit limits, bad UX
• •No rate limit headers—clients don't know their limit or remaining quota
• •Per-server limits—user hits limit on one server but not others, use distributed counter (Redis)
• •Same limit for all users—paid customers should have higher limits

Real-World Examples

• •Stripe API—Rate limits per API key, returns headers with remaining quota
• •Twitter API—Strict rate limits, different for free/paid tiers
• •GitHub API—5000 requests/hour for authenticated, 60 for unauthenticated
• •Cloudflare—DDoS protection via rate limiting at edge