Rate Limiting
Rate limiting restricts how many requests a client can make to an API in a given time window, protecting the backend from abuse, overload, and runaway costs.
A rate limiter counts requests per client (by API key, IP, or user) and rejects or delays those over a threshold, often returning a 429 Too Many Requests response.
Common algorithms include fixed windows, sliding windows, and token buckets. Limits protect shared resources, ensure fairness between clients, and contain the impact of misbehaving or malicious callers.
Rate limiting complements authentication and access control: keys identify callers, policies decide what they can touch, and limits cap how often they can ask.
Related terms
See it in practice
Kolaybase gives you PostgreSQL, auth, storage, and a REST API in minutes.