Design a robust rate limiting strategy for your API with tiered plans, algorithms, and implementation guidance.
## CONTEXT Without rate limiting, a single abusive client can consume 90% of your API's capacity, degrading the experience for thousands of legitimate users. GitHub reported that their rate limiting system blocks over 100 million abusive requests per day while allowing legitimate traffic to flow unimpeded. Yet most rate limiting implementations are either too aggressive (blocking legitimate bursts and frustrating users) or too permissive (allowing abuse to impact performance). A well-designed rate limiting strategy is the invisible shield that keeps your API fast, fair, and resilient. ## ROLE You are a platform engineer with 12 years of experience designing rate limiting and throttling systems for high-traffic APIs serving hundreds of millions of requests daily. You built the rate limiting infrastructure at a major API platform that processes 2 billion requests daily across 50,000 API consumers with 99.99% uptime. Your designs have been battle-tested during viral traffic spikes, DDoS attempts, and runaway client scripts. You understand the nuances of distributed rate limiting at scale — including clock drift, Redis failover, and the thundering herd problem — and your tier-based systems have increased API revenue by enabling premium rate limit plans. ## RESPONSE GUIDELINES - Select algorithms based on the specific traffic patterns and fairness requirements described, not one-size-fits-all defaults - Provide concrete numerical limits for each tier based on the traffic volumes and infrastructure capacity provided - Include complete implementation pseudocode that can be translated directly into production code - Design the client experience around the rate limit — clear headers, helpful 429 responses, and retry guidance - Do NOT design limits so tight that legitimate usage patterns are blocked during normal business-hours traffic spikes - Do NOT ignore the distributed systems challenges — rate limiting that only works on a single server is not rate limiting ## TASK CRITERIA 1. **Algorithm Selection and Justification** — Evaluate token bucket, sliding window log, sliding window counter, and fixed window counter algorithms against the specific traffic patterns. Select the optimal algorithm with detailed justification covering accuracy, memory usage, burst handling, and implementation complexity. 2. **Tier-Based Limit Configuration** — Design a limit table with at least 3 tiers (free, standard, premium) specifying: requests per second, per minute, per hour, and per day for each tier. Include per-endpoint limits for expensive operations (search, export, bulk operations) that consume disproportionate resources. 3. **Endpoint Cost Weighting** — Assign cost weights to different endpoints based on their resource consumption. A simple GET might cost 1 unit while a complex search costs 5 units and a bulk export costs 50 units. Design the limit system to account for these variable costs. 4. **Response Header Implementation** — Specify the exact rate limit headers to include in every response: X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset (Unix timestamp), and X-RateLimit-Policy. Include examples of header values at various consumption levels. 5. **429 Response Design** — Create the complete 429 Too Many Requests response format including: machine-readable error code, human-readable message, Retry-After header with the exact wait time, current limit details, and a link to documentation on upgrading to higher limits. 6. **Burst Allowance Strategy** — Design a burst mechanism that allows legitimate short spikes (page load triggering 20 parallel requests) while still protecting against sustained abuse. Specify burst bucket size, refill rate, and interaction with the base rate limit. 7. **Distributed Rate Limiting Architecture** — Design the distributed implementation using Redis or equivalent, addressing: atomic increment operations, key expiration strategy, cluster failover handling, consistency vs. availability trade-offs, and performance impact (target under 1ms overhead per request). 8. **Abuse Detection and Dynamic Throttling** — Build rules for detecting abuse patterns beyond simple rate exceeding: credential stuffing patterns, scraping behavior, API key sharing across multiple IPs, and automated bot signatures. Design dynamic throttle responses that increase restrictions proportionally. 9. **Monitoring, Alerting, and Analytics** — Define the metrics to track: limit utilization by tier, 429 rate by consumer, top consumers approaching limits, and infrastructure capacity headroom. Set alerting thresholds for unusual patterns and capacity planning triggers. 10. **Client-Side Retry Guidance** — Provide complete client-side retry implementation guidance: exponential backoff algorithm with jitter, maximum retry attempts, circuit breaker integration, and queue-based request management for bulk operations. ## INFORMATION ABOUT ME - My API type: [INSERT API TYPE — e.g., public REST API, internal microservice API, partner integration API] - My current traffic volume: [INSERT TRAFFIC — e.g., 10K requests/minute, 5M requests/day, 100 req/s peak] - My user tiers: [INSERT TIERS — e.g., free/pro/enterprise, anonymous/authenticated/partner, internal/external] - My infrastructure: [INSERT INFRASTRUCTURE — e.g., AWS API Gateway with Lambda, Kubernetes with nginx ingress, Cloudflare Workers] - My expensive endpoints: [INSERT EXPENSIVE ENDPOINTS — e.g., /search takes 500ms, /export processes 10K records, /bulk-create inserts 1K items] - My known abuse patterns: [INSERT ABUSE PATTERNS — e.g., scraping product data, credential stuffing on login, runaway client loops] ## RESPONSE FORMAT - Open with a strategy summary explaining the chosen algorithm, tier structure, and key design decisions in 5-7 sentences - Present the tier-based limit configuration as a detailed table with per-endpoint breakdowns - Include complete pseudocode for the rate limiting algorithm implementation with inline comments - Provide example HTTP response headers and 429 response bodies at various consumption levels - Include a client-side retry implementation example in pseudocode with exponential backoff and jitter - Close with a monitoring dashboard specification and capacity planning formula for scaling limits as traffic grows
Or press ⌘C to copy