← Back to Articles
6/6/2026Admin Post

rate limiting index

#Rate Limiting

Series: Rate Limiting Demystified

00rate limiting index
01rate limiting part1 fundamentals
02rate limiting part2 algorithms
03rate limiting part3 implementation
04rate limiting part4 distributed
05rate limiting part5 advanced industry
06rate limiting part6 interview questions
07rate limiting supplement1 antipatterns extended
08rate limiting supplement2 production challenges
09rate limiting supplement3 tradeoffs decision guide
010rate limiting supplement4 architecture patterns

Rate Limiting Demystified - Complete Series Index

A comprehensive, in-depth guide to mastering Rate Limiting from first principles to production-grade
distributed systems, real-world patterns, and interview preparation.

Series Navigation

PartFileTopics Covered
Part 1FundamentalsWhat is rate limiting, why it matters, terminology, types, HTTP standards, where to implement
Part 2Algorithms Deep DiveFixed Window, Sliding Window Log, Sliding Window Counter, Token Bucket, Leaky Bucket, GCRA
Part 3Implementation GuideRedis, Java/Spring Boot, Python, Node.js, Nginx, API Gateways, client-side retry
Part 4Distributed Rate LimitingDistributed challenges, atomicity, Lua scripts, race conditions, multi-region
Part 5Advanced and Industry PracticesAdaptive limiting, tiers, real-world companies, tips, pitfalls, anti-patterns
Part 6Interview Questions80+ Q&As from most frequent to tricky, system design, coding, follow-ups

Supplements (Additive Deep Dives)

SupplementFileTopics Covered
Supplement 1Anti-Patterns Extended25 additional named anti-patterns across Infrastructure, Business Logic, Operational, Client-Side, and Security categories — each with broken code, explanation, correct fix, and production impact rating
Supplement 2Production Challenges20 real production war stories: Redis memory explosion, split-brain failover, IP rotation attacks, CGN blocking, Lua timeouts, thundering herds, multi-tenant quota bleeding, and more — each with root cause, diagnosis commands, and concrete fix
Supplement 3Trade-Offs and Decision GuideComprehensive decision framework: when/where to rate limit, full algorithm trade-off matrices, storage backend comparison, centralized vs decentralized vs hybrid, fail-open vs fail-closed analysis, identifier strategy, and visual decision trees
Supplement 4Architecture Patterns10 named architecture patterns with ADRs: Gateway Sentinel, Layered Defense, Quota Cascade, Shadow Enforcement, Adaptive Throttle, Cost-Weighted Bucket, Tenant-Isolated Pool, Idempotency Shield, Sidecar Enforcer, Hybrid Approximate

What Is This Series?

Rate Limiting is one of the most critical components in production APIs and one of the most
frequently asked topics in system design interviews. Yet it is often dismissed with a single sentence:
"use Redis with a token bucket." This series tears that surface open.

This guide covers everything needed to master rate limiting:

  • The "why" before the "how" - what problems rate limiting actually solves
  • All 6 major algorithms explained with visuals, code, and trade-off analysis
  • Production-ready implementations in Java, Python, and Node.js
  • Redis-based solutions with Lua scripting for true atomicity
  • Distributed rate limiting pitfalls that trip up even senior engineers
  • Real-world patterns from Twitter, GitHub, Stripe, and Cloudflare
  • 80+ interview questions ordered by frequency, difficulty, and recency

Part 1: Fundamentals

rate-limiting-part1-fundamentals.md

  • What is Rate Limiting and why it exists (with real-world analogies)
  • The problems it solves: abuse prevention, fair usage, cost control, DDoS mitigation
  • Core terminology: Rate, Limit, Window, Burst, Quota, Throttle, Backpressure
  • Types of rate limiting: User-level, IP-based, API Key-based, Endpoint-based, Global, Geographic
  • Rate Limiting vs Throttling vs Circuit Breaker vs Load Shedding vs Backpressure
  • HTTP standards: Status 429, Retry-After, X-RateLimit-Limit/Remaining/Reset headers
  • The RateLimit header group (IETF RFC 6585 and draft-ietf-httpapi-ratelimit-headers)
  • Where to implement: Client, Load Balancer, API Gateway, Application, Service Mesh
  • Rate limiting granularity: per-second, per-minute, per-day, composite limits
  • Inbound vs Outbound rate limiting - protecting yourself vs respecting third parties
  • Soft limits vs Hard limits and when to use each

Part 2: Algorithms Deep Dive

rate-limiting-part2-algorithms.md

  • Fixed Window Counter: how it works, boundary problem visualization, pros/cons, Python code
  • Sliding Window Log: timestamp logs, memory cost, accuracy, Python code
  • Sliding Window Counter: hybrid approach, weighted formula, error margin analysis, Python code
  • Token Bucket: token refill, burst support, AWS/Stripe usage, Python and Java code
  • Leaky Bucket: queue-based, smooth traffic, when it shines, Python code
  • GCRA (Generic Cell Rate Algorithm): Theoretical Arrival Time (TAT), virtual scheduling, code
  • Side-by-side algorithm comparison table: accuracy, memory, burst support, complexity, use cases
  • Decision framework: how to choose the right algorithm for your use case

Part 3: Implementation Guide

rate-limiting-part3-implementation.md

  • Redis fundamentals for rate limiting: INCR, EXPIRE, ZADD, ZREMRANGEBYSCORE, pipelines
  • Fixed Window in Redis (INCR + EXPIRE pattern)
  • Sliding Window Log in Redis (Sorted Sets / ZADD)
  • Token Bucket in Redis with Lua scripts for atomicity
  • Java with Bucket4j: local and Redis-backed, Spring Boot filter, tiered limits
  • Java with Resilience4j: RateLimiter, annotations, retry integration
  • Java custom implementation from scratch
  • Python with redis-py (manual implementation)
  • Python with Flask-Limiter (Flask framework)
  • Python with slowapi (FastAPI framework)
  • Node.js with express-rate-limit and RedisStore
  • Nginx rate limiting: limit_req, limit_conn, burst, nodelay, zone configuration
  • AWS API Gateway usage plans and throttling
  • Kong API Gateway rate-limiting plugin
  • Client-side rate limiting: exponential backoff, jitter, retry headers

Part 4: Distributed Rate Limiting

rate-limiting-part4-distributed.md

  • Why distributed rate limiting is hard (no single node, network latency, clock skew)
  • Centralized rate limiting: single Redis, Redis Cluster, pros and cons
  • Decentralized/local rate limiting: in-memory per node, when it is acceptable
  • Race conditions in rate limiting and why INCR alone is not enough
  • Atomic operations with Redis Lua scripts (full working examples)
  • Redis MULTI/EXEC transactions vs Lua scripts - what to use when
  • Sticky sessions: how they help, how they fail
  • Hybrid approach: local approximate + global precise enforcement
  • Rate limiting in a Service Mesh: Envoy proxy, Istio rate limiting, global rate limiting service
  • Multi-region rate limiting: the CAP theorem trade-off, eventual consistency approaches
  • Handling Redis failures: fail-open vs fail-closed strategies

Part 5: Advanced and Industry Practices

rate-limiting-part5-advanced-industry.md

  • Adaptive rate limiting: adjusting limits based on system health, load, and user behavior
  • Cost-based rate limiting: GraphQL query complexity, weighted endpoints
  • Priority queues: letting premium users through when limits are hit
  • Rate limiting tiers: Free / Pro / Enterprise with composite limits
  • Real-world study: Twitter/X API rate limits (v1 vs v2 changes and lessons)
  • Real-world study: GitHub REST and GraphQL API rate limiting
  • Real-world study: Stripe rate limiting and idempotency
  • Real-world study: Cloudflare rate limiting rules and zones
  • Real-world study: AWS API Gateway usage plans
  • 25+ actionable tips and tricks
  • 15+ common pitfalls with explanations and fixes
  • 12+ anti-patterns with names, descriptions, and correct alternatives
  • Industry best practices: monitoring, alerting, testing rate limiters, documentation standards

Part 6: Interview Questions

rate-limiting-part6-interview-questions.md

  • Section 1: Most Frequently Asked Conceptual Questions (Q1-Q20) with full answers
  • Section 2: Algorithm-Specific Questions (Q21-Q35)
  • Section 3: System Design Questions with structured answers (Q36-Q50)
  • Section 4: Coding Questions with full solutions (Q51-Q58)
  • Section 5: Tricky and Advanced Questions from 2024-2026 interviews (Q59-Q80)
  • Follow-up question handling: how interviewers go deeper and how to respond
  • Cheat sheet: key numbers, formulas, and comparison tables to memorize

Prerequisites

  • Basic understanding of HTTP (requests, responses, status codes)
  • Familiarity with at least one backend language (Java, Python, or Node.js)
  • Basic understanding of key-value stores (Redis concepts are helpful)
  • No prior rate limiting knowledge required
Your GoalRecommended Path
Interview tomorrowPart 6 first, then Part 2 for algorithms, then Part 1 for depth
Implement rate limiting todayPart 3 first, then Part 2 for algorithm choice
Learn from scratchPart 1 → Part 2 → Part 3 → Part 4 → Part 5 → Part 6
Fix a distributed issuePart 4, then Part 5 for pitfalls, then Supplement 2 for war stories
Understand the big picturePart 1, then Part 5 for industry context
Adding RL to a live system (no incidents)Supplement 3 (trade-offs + where), Supplement 4 (Shadow Enforcement pattern)
Debugging a production incidentSupplement 2 (20 real challenges + fixes)
Architecting a multi-tenant SaaSSupplement 4 (Quota Cascade + Tenant-Isolated Pool patterns)
Extreme-scale (>50K RPS)Part 4 + Supplement 4 (Hybrid Approximate pattern)
Senior/Staff engineer depthAll Supplements after Parts 1–6

This series was designed to be the last resource you need on Rate Limiting.
Every part is self-contained but they are designed to build on each other.

Next Articlerate limiting part1 fundamentals