Skip to content
Programming Glossary
Networking & APIs Glossary
Rate Limiting — Explained with Examples

Rate Limiting — Explained with Examples

DodaTech Updated Jun 15, 2026 2 min read

Rate limiting is a technique that controls how many requests a client can make to a server within a specific time window to prevent abuse and ensure fair usage.

Rate limiting is essential for protecting APIs from abuse, ensuring fair resource distribution, and maintaining service quality under load.

Common Rate Limiting Algorithms

Token Bucket — a bucket holds a fixed number of tokens. Each request consumes a token. Tokens refill at a steady rate. Bursts are allowed up to bucket size.

Bucket capacity: 10 tokens
Refill rate: 1 token/second
Request arrives → token available? → allow (consume token)
No tokens? → reject or queue

Leaky Bucket — requests enter a queue (bucket) and are processed at a fixed rate. If the bucket overflows, excess requests are rejected.

Sliding Window — tracks requests within a rolling time window (e.g., last 60 seconds). More accurate than fixed windows which can have burst spikes at boundaries.

Example: Express Rate Limiting 

const rateLimit = require('express-rate-limit');

// Global limiter
const globalLimiter = rateLimit({
  windowMs: 15 * 60 * 1000, // 15 minutes
  max: 100,
  message: { error: 'Too many requests, try again later' },
  headers: true // Send RateLimit-* headers
});

// Per-endpoint limiter (stricter for auth)
const authLimiter = rateLimit({
  windowMs: 60 * 1000, // 1 minute
  max: 5,
  message: { error: 'Too many login attempts' }
});

app.use('/api/', globalLimiter);
app.use('/api/login', authLimiter);
// Response headers when rate limited
HTTP/1.1 429 Too Many Requests
RateLimit-Limit: 100
RateLimit-Remaining: 0
RateLimit-Reset: 1623456789
Retry-After: 360

Real-World Analogy

Rate limiting is like a nightclub with a capacity limit. The bouncer counts people entering (requests). If the club is full, new guests wait outside until someone leaves. VIP sections have looser limits but still capped. Without the bouncer, the club would be dangerously overcrowded and no one would have a good time.

Related Terms

API Gateway, DDoS, REST, WAF, Microservices

Previous API Gateway — Explained with Examples Next HATEOAS — Explained with Examples

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro

Home Browse Networking & APIs Glossary