Token bucket
Bucket of N tokens. Refills at R tokens/sec. Each request consumes one. Bucket empty → 429. Simple + allows bursts up to N.
Advertisement
Token bucket
Bucket of N tokens. Refills at R tokens/sec. Each request consumes one. Bucket empty → 429. Simple + allows bursts up to N.
Advertisement
Sliding window
Count of requests in last N seconds, updated per request. More accurate for smooth rates. Costs more Redis ops.
Redis backend
Atomic INCR + EXPIRE gives you distributed rate limits across all API servers. Lua script keeps it atomic.
Per-user keys
Key by user_id or API key. Global limits key by "global". Compose multiple limits by evaluating both.
Failure mode
Redis down → decide policy: fail-open (allow all) or fail-closed (reject all). Fail-open is common, fail-closed for critical endpoints.