Token Bucket allows bursts (e.g., 150 requests at once
when limit is 100/min) and refills tokens at a constant rate. Great for
APIs that need to handle short bursts.
Sliding Window distributes requests smoothly over time.
If limit is 100/min, it calculates an average over the last minute.
Better for preventing sudden spikes.
Redis: Best for distributed systems with multiple
backend servers. Maintains state across all instances. Ideal for
user-based limiting.
Nginx: Best for simple IP-based limiting at the edge.
Very fast, low latency. Good for protecting against DDoS. Limited to
IP-based keys.
Public/Unauthenticated: 100 req/min per IP (prevents
abuse while allowing legitimate use) Authenticated/Free Tier: 1000 req/hour per user Paid/Premium: 10,000+ req/hour per user Internal/Service-to-Service: 10,000+ req/min (high
trust)
Rate Limiting FAQs
Token vs Leaky vs Sliding Window
Token allows bursts, Leaky smooths at a fixed pace, Sliding Window enforces fair limits over exact windows.
Burst vs sustained limits
Use a higher burst to tolerate spikes but keep a lower sustained RPS to protect backends.
Distributed rate limits
Back with Redis, use time-bucketed keys, and account for clock skew/evictions.
Support This Free Tool
Every coffee helps keep the servers running. Every book sale funds the next tool I'm dreaming up.
You're not just supporting a site — you're helping me build what developers actually need.