<strong>Rate limiting</strong> is a technique to control how many requests a user can make to your API in a given time period. It prevents abuse, protects your servers, and ensures fair usage for all users.
The Nightclub Bouncer Analogy
A nightclub bouncer only lets a certain number of people in at a time. If too many try to enter at once, they have to wait. Rate limiting works the same way for API requests.
Nightclub (API)
Limited capacity
Bouncer (Rate Limiter)
Controls entry
People (Requests)
Want to get in
Sends Requests
Checks Limit
Processes or Rejects
Request arrives
Client sends a request to your API
Check counter
Rate limiter checks how many requests from this client
Within limit?
If under limit, allow. If over, reject with 429 error
Increment counter
Add 1 to the client's request count
Reset after time window
Counter resets after 1 minute/hour/day
Wrong
"Rate limiting is only for preventing attacks"
Correct
Rate limiting serves multiple purposes: <strong>preventing abuse, ensuring fair usage, protecting infrastructure, and managing costs</strong>. It's essential for any production API.
Twitter API rate limiting:
Free tier: 100 requests per 15 minutes
If you exceed this, you get a 429 'Too Many Requests' error
You must wait until the 15-minute window resets
This prevents bots from overwhelming their servers