API Rate Limiting Explained
On this page
What API Rate Limiting Actually Does
API rate limiting caps how many requests a single client — a user, an API key, or an IP address — can make to your service within a given time window. Once that client hits the cap, the server starts rejecting further requests, usually with an HTTP 429 "Too Many Requests" response, until the window resets.
The point isn't to punish anyone. It's to protect the service from being overwhelmed, whether the flood of requests comes from a runaway script, a scraper, a misconfigured integration, or a genuine spike in legitimate traffic. Without a limit, one bad actor or one buggy client can consume the same server resources as thousands of real users, slowing or crashing the app for everyone else.
Why It Matters Even for Small Applications
It's easy to assume rate limiting is only a concern for large platforms with millions of users, but the opposite is often true. A small business API or internal dashboard with no rate limiting is actually more exposed, because it usually has fewer servers and less headroom to absorb a spike. A single misbehaving script — even one written by your own team, like a loop that accidentally calls an endpoint in a tight retry cycle — can take the whole service down.
Rate limiting is also a basic security control. Login endpoints without a limit are vulnerable to brute-force password guessing. Public-facing search or lookup endpoints without a limit are an open invitation for scrapers to pull your entire dataset. Setting reasonable limits closes off both problems without requiring complex fraud detection.
Common Rate Limiting Strategies
Fixed window counts requests in fixed time blocks, like "100 requests per minute," where the counter resets at the top of each minute. It's simple to implement but has an edge case: a client can make 100 requests in the last second of one window and another 100 in the first second of the next, effectively doubling the intended rate briefly.
Sliding window tracks requests over a rolling period rather than a fixed clock boundary, smoothing out that edge case at the cost of slightly more computation and memory.
Token bucket gives each client a bucket of tokens that refills at a steady rate. Each request consumes a token; if the bucket is empty, the request is rejected. This approach naturally allows short bursts of activity (as long as tokens are available) while still enforcing an average rate over time, which matches how real usage patterns actually behave.
Leaky bucket is similar in spirit but processes requests at a constant output rate regardless of how bursty the input is, which suits systems that need a predictable, steady load on downstream resources.
Most production setups don't build these from scratch. Cloud providers, API gateways (like AWS API Gateway or Cloudflare), and web frameworks all ship built-in rate limiting middleware, so the implementation work is usually configuration, not custom code.
Where to Apply Limits
Rate limits typically get set per API key or authenticated user for B2B or partner APIs, since that's the identity you actually control and bill against. For public-facing endpoints without authentication, limits are usually applied per IP address instead, though that's imperfect — many real users can share one IP behind a corporate network or mobile carrier, so overly aggressive per-IP limits can block legitimate traffic alongside abusive traffic.
A layered approach works best in practice: a generous per-IP limit to catch obvious abuse, plus a tighter per-key or per-user limit tied to your actual pricing tiers. Sensitive endpoints — login, password reset, checkout — deserve stricter limits than a general content-read endpoint, because the cost of abuse there is higher.
What Happens When a Client Hits the Limit
A well-designed rate-limited API doesn't just silently drop requests. It returns a clear 429 status code along with headers indicating the limit, how many requests remain, and when the window resets (commonly X-RateLimit-Limit, X-RateLimit-Remaining, and Retry-After). This lets well-behaved client software back off and retry later instead of hammering the server repeatedly, which is exactly the behavior rate limiting is meant to encourage.
If you're integrating with a third-party API — payment processors, mapping services, email providers — respecting their documented rate limits is your responsibility, not theirs to gracefully absorb. Building retry logic with exponential backoff into your own integrations is standard practice and prevents your app from being throttled or temporarily banned during traffic spikes.
Rate Limiting and Business Growth
As a business's website or app grows to depend on more third-party integrations and its own APIs get consumed by more partners, rate limiting stops being an edge-case concern and becomes core infrastructure. It's much easier to design sensible limits from the start than to retrofit them onto a service that's already struggling under unmanaged load. If you're building or scaling a custom web application, this is exactly the kind of infrastructure decision worth getting right during initial web development rather than after a traffic-driven outage forces the issue.
FAQ
What's the difference between rate limiting and throttling?
They're closely related and often used interchangeably. Rate limiting typically refers to rejecting requests once a hard cap is hit, while throttling can mean slowing requests down (adding delay) rather than rejecting them outright — some systems do both together.
Will rate limiting block real customers?
Done well, no. Limits should be set well above normal usage patterns, so only unusual, bot-like, or erroneous request volumes hit the cap. Monitoring actual traffic before finalizing limits helps avoid false positives.
Does my small business website need API rate limiting?
If your site exposes any API endpoints — a contact form handler, a search feature, a booking system — some basic rate limiting is worth having, even at modest traffic levels, since it's cheap insurance against bots and scripted abuse.
Can rate limiting stop DDoS attacks?
It helps but isn't a complete defense on its own. Rate limiting handles moderate, sustained abuse well; a large-scale distributed attack usually also needs network-level protection like a CDN or firewall with DDoS mitigation in front of the application.
How do I know what limit to set?
Start by looking at your normal peak usage patterns and set the limit at a healthy multiple above that — enough to allow for legitimate spikes but well below what would strain your infrastructure. Adjust based on real monitoring data rather than guessing once.
Related service: Next.js & React Web Development Agency
Planning a new website?
Let's talk about how a fast, SEO-ready Next.js site can help your business grow.
Start Your Project