api-rate-limiting
npx machina-cli add skill secondsky/claude-skills/api-rate-limiting --openclawFiles (1)
SKILL.md
1.9 KB
API Rate Limiting
Protect APIs from abuse using rate limiting algorithms with per-user and per-endpoint strategies.
Algorithms
| Algorithm | Pros | Cons |
|---|---|---|
| Token Bucket | Handles bursts, smooth | Memory per user |
| Sliding Window | Accurate | Memory intensive |
| Fixed Window | Simple | Boundary spikes |
Token Bucket (Node.js)
class TokenBucket {
constructor(capacity, refillRate) {
this.capacity = capacity;
this.tokens = capacity;
this.refillRate = refillRate; // tokens per second
this.lastRefill = Date.now();
}
consume() {
this.refill();
if (this.tokens >= 1) {
this.tokens--;
return true;
}
return false;
}
refill() {
const now = Date.now();
const elapsed = (now - this.lastRefill) / 1000;
this.tokens = Math.min(this.capacity, this.tokens + elapsed * this.refillRate);
this.lastRefill = now;
}
}
Express Middleware
const rateLimit = require('express-rate-limit');
const limiter = rateLimit({
windowMs: 15 * 60 * 1000, // 15 minutes
max: 100,
standardHeaders: true,
message: { error: 'Too many requests, try again later' }
});
app.use('/api/', limiter);
Response Headers
X-RateLimit-Limit: 100
X-RateLimit-Remaining: 45
X-RateLimit-Reset: 1705320000
Retry-After: 60
Tiered Limits
| Tier | Requests/Hour |
|---|---|
| Free | 100 |
| Pro | 1,000 |
| Enterprise | 10,000 |
Best Practices
- Use Redis for distributed rate limiting
- Include proper headers in responses
- Return 429 status with Retry-After
- Implement tiered limits for different plans
- Monitor rate limit metrics
- Test under load
Source
git clone https://github.com/secondsky/claude-skills/blob/main/plugins/api-rate-limiting/skills/api-rate-limiting/SKILL.mdView on GitHub Overview
Protects APIs from abuse by applying rate limiting using token bucket, sliding window, and fixed window algorithms. Supports per-user and per-endpoint strategies and emphasizes Redis-based distribution, tiered access, and clear 429 responses with headers.
How This Skill Works
Tokens are refilled over time and consumed on requests (token bucket). Express middleware applies limits per route, with headers like X-RateLimit-Limit and X-RateLimit-Remaining, and a 429 response when exhausted. Redis enables distributed limits across multiple app instances and tiered plans (Free, Pro, Enterprise).
When to Use It
- Securing public APIs with controlled access per user and per endpoint
- Implementing tiered access plans (Free, Pro, Enterprise)
- Preventing denial-of-service or abusive traffic on high-traffic endpoints
- Enforcing per-user/per-endpoint rate limits across microservices
- Scaling rate limiting across multiple app instances with Redis
Quick Start
- Step 1: Pick an algorithm (token bucket for bursts, sliding window for accuracy, or fixed window for simplicity) and define per-user and per-endpoint scope
- Step 2: Implement token bucket logic or Express middleware (see TokenBucket class and express-rate-limit example) and integrate Redis for distributed limits
- Step 3: Return 429 with Retry-After and include rate limit headers; deploy tiered limits and monitor metrics
Best Practices
- Use Redis for distributed rate limiting
- Include proper headers in responses (e.g., X-RateLimit-Limit, X-RateLimit-Remaining)
- Return 429 status with Retry-After when limits are reached
- Implement tiered limits for different plans (Free/Pro/Enterprise)
- Monitor rate limit metrics and test under load
Example Use Cases
- Public API protected with per-user, per-endpoint limits using Redis-backed distribution
- Tiered access enforced for Free, Pro, and Enterprise plans
- Express API with 429 responses and RateLimit headers on overuse
- Token Bucket bursts controlled for high-traffic endpoints
- Distributed rate limiting across clustered Node.js apps using Redis
Frequently Asked Questions
Add this skill to your agents
