Token bucket

Bucket of N tokens. Refills at R tokens/sec. Each request consumes one. Bucket empty → 429. Simple + allows bursts up to N.

Advertisement

Token bucket

Bucket of N tokens. Refills at R tokens/sec. Each request consumes one. Bucket empty → 429. Simple + allows bursts up to N.

Advertisement

Sliding window

Count of requests in last N seconds, updated per request. More accurate for smooth rates. Costs more Redis ops.

Redis backend

Atomic INCR + EXPIRE gives you distributed rate limits across all API servers. Lua script keeps it atomic.

Per-user keys

Key by user_id or API key. Global limits key by "global". Compose multiple limits by evaluating both.

Failure mode

Redis down → decide policy: fail-open (allow all) or fail-closed (reject all). Fail-open is common, fail-closed for critical endpoints.