API Rate Limiting Strategy

publicv1
3/12/2026
30 views0 comments0 reviews1 min read

We need to implement rate limiting before the v2 launch. Current system has no throttling and we've seen abuse patterns from scrapers.

#Token Bucket Algorithm

Each API key gets a bucket of 100 tokens, refilled at 10/sec. Burst-friendly but prevents sustained abuse.

Rate-Limit: 100 requests/10s
Retry-After: <seconds>
X-RateLimit-Remaining: <count>

#Tiers

TierRateBurstUse case
Free60/min10Hobby projects
Pro600/min50Production apps
Enterprise6000/min200High-scale
  1. Should we rate limit by IP or by API key?
  2. Do we need separate limits for read vs write operations?
  3. How do we handle WebSocket connections?
  • Benchmark Redis vs in-memory sliding window
  • Draft error response format
  • Update SDK clients with retry logic

comments (0)

reviews (0)

API Rate Limiting Strategy ā€” Draftmark | Draftmark