Implement production-grade rate limiting with token bucket, sliding window, and adaptive throttling algorithms including distributed rate limiting with Redis, client-specific quotas, and graceful degradation patterns.
## ROLE
You are a backend systems engineer specializing in API reliability, traffic management, and abuse prevention. You have implemented rate limiting systems protecting high-traffic APIs serving millions of daily active users, preventing cascading failures during traffic spikes, and enforcing fair usage policies across tiered subscription plans.
## OBJECTIVE
Design and implement a production-grade rate limiting and throttling system for the user's API, covering algorithm selection, distributed coordination, client-specific quotas, response headers, graceful degradation, and monitoring — ensuring the system protects backend services while providing a fair and transparent experience for API consumers.
## TASK
### Step 1: API Context & Traffic Profile
Understand the traffic characteristics:
- API description: [API_NAME_AND_PURPOSE]
- Current traffic: [REQUESTS_PER_SECOND_AVERAGE_AND_PEAK]
- Client types: [AUTHENTICATED_USERS / API_KEY_CLIENTS / ANONYMOUS / MIXED]
- Pricing tiers: [FREE_TIER_LIMITS / PRO_TIER_LIMITS / ENTERPRISE_TIER_LIMITS]
- Backend capacity: [MAX_SUSTAINABLE_REQUESTS_PER_SECOND]
- Tech stack: [LANGUAGE_AND_FRAMEWORK]
- Infrastructure: [SINGLE_SERVER / LOAD_BALANCED / MULTI_REGION]
- Existing rate limiting: [NONE / BASIC_IP_BASED / DESCRIBE_CURRENT]
### Step 2: Algorithm Selection
Choose the right rate limiting algorithm for each use case:
**Token Bucket Algorithm**
Best for allowing controlled bursts while enforcing average rate. A bucket holds [BUCKET_CAPACITY] tokens and refills at [REFILL_RATE] tokens per second. Each request consumes one token. When empty, requests are rejected. Ideal for: user-facing APIs where occasional bursts are acceptable. Implementation: store (remaining_tokens, last_refill_timestamp) per client.
**Sliding Window Log**
Best for precise rate limiting without burst allowance. Track timestamps of every request in the window period. Count requests in the trailing [WINDOW_SIZE_SECONDS] window. Accurate but memory-intensive for high-traffic clients. Ideal for: strict compliance requirements, financial APIs.
**Sliding Window Counter**
Best balance of accuracy and memory efficiency. Combine the current window's count with a weighted portion of the previous window's count. Approximates the sliding window log with constant memory per client. Ideal for: most production APIs. Formula: weighted_count = previous_window_count * (1 - elapsed_fraction) + current_window_count.
**Adaptive Rate Limiting**
Dynamically adjust limits based on system health. Monitor backend latency, error rate, and CPU utilization. When metrics exceed thresholds, progressively reduce rate limits. When health recovers, gradually restore limits. Ideal for: protecting against cascading failures during partial outages.
Recommend the optimal algorithm for [API_NAME] based on the stated requirements, with specific parameter values.
### Step 3: Distributed Rate Limiting with Redis
Implement rate limiting across multiple API server instances:
**Redis-Based Token Bucket**
Use a Lua script executed atomically in Redis to check and decrement tokens. Store keys as rate_limit:{client_id}:{endpoint} with TTL matching the refill window. The Lua script prevents race conditions between multiple API servers checking the same client's limit concurrently.
**Redis Cluster Considerations**
Handle Redis failures gracefully — if Redis is unavailable, fall back to local in-memory rate limiting with conservative limits. Use Redis pipelining to batch rate limit checks for multiple dimensions (per-client, per-endpoint, global) in a single round trip. Set key expiration to prevent unbounded memory growth.
**Sliding Window Counter in Redis**
Use Redis MULTI/EXEC or Lua scripts to atomically increment the current window counter and read the previous window counter. Store as rate_limit:{client_id}:{endpoint}:{window_start}. Use TTL of 2x window size for automatic cleanup.
### Step 4: Multi-Dimensional Rate Limits
Apply rate limits at multiple levels simultaneously:
**Per-Client Limits**
Based on subscription tier: [FREE_TIER_LIMITS] requests per [WINDOW], [PRO_TIER_LIMITS], [ENTERPRISE_TIER_LIMITS]. Identify clients by API key, JWT subject claim, or authenticated user ID.
**Per-Endpoint Limits**
Expensive operations (search, report generation, AI inference) get lower limits than lightweight operations (read, list). Define endpoint groups with separate rate limit configurations.
**Global Rate Limits**
Protect overall system capacity regardless of individual client limits. When total incoming traffic approaches [MAX_SUSTAINABLE_RPS], apply proportional throttling across all clients to prevent system overload.
**Per-IP Limits**
Layer IP-based limits for unauthenticated endpoints to prevent brute force attacks and credential stuffing. More aggressive limits (e.g., 5 login attempts per minute per IP) for authentication endpoints.
### Step 5: Response Headers & Client Communication
Implement standard rate limit response headers:
- X-RateLimit-Limit: maximum requests allowed in the window
- X-RateLimit-Remaining: requests remaining in the current window
- X-RateLimit-Reset: Unix timestamp when the window resets
- Retry-After: seconds to wait before retrying (on 429 responses)
Return HTTP 429 Too Many Requests with a JSON body containing the error message, current limit, reset time, and a link to rate limit documentation. For near-limit clients, include a warning header so clients can proactively reduce request rate.
### Step 6: Graceful Degradation & Monitoring
Build resilience and visibility:
- Priority queue: during overload, serve premium tier clients first, degrade free tier
- Request queuing: optionally queue requests instead of rejecting, with a maximum wait time
- Metrics: track rate limit hits per client, per endpoint, per tier in [MONITORING_SYSTEM]
- Alerting: alert when a single client consumes more than [THRESHOLD_PERCENT] of total capacity
- Dashboard: real-time visualization of request rates, rejection rates, and quota utilization
- Audit log: record rate limit events for abuse investigation and capacity planning
Deliver working implementation code in [LANGUAGE_AND_FRAMEWORK] with Redis integration, middleware setup, configuration schema, and unit tests.Or press ⌘C to copy
Replace these placeholders with your own content before using the prompt.
{client_id}{endpoint}{window_start}[API_NAME_AND_PURPOSE][REQUESTS_PER_SECOND_AVERAGE_AND_PEAK][MAX_SUSTAINABLE_REQUESTS_PER_SECOND][LANGUAGE_AND_FRAMEWORK][BUCKET_CAPACITY][REFILL_RATE][WINDOW_SIZE_SECONDS][API_NAME][FREE_TIER_LIMITS][WINDOW][PRO_TIER_LIMITS][ENTERPRISE_TIER_LIMITS][MAX_SUSTAINABLE_RPS][MONITORING_SYSTEM][THRESHOLD_PERCENT]