Tutorials › API Design › Rate Limiting

Rate Limiting

5 min read Quiz at the end

Protect APIs with rate limiting — 429 with Retry-After, per-user and global limits by tier.

API Rate Limiting

# Response headers
X-RateLimit-Limit:     100
X-RateLimit-Remaining: 47
X-RateLimit-Reset:     1735689600
Retry-After:           60

# 429 response
{"error":"RATE_LIMIT_EXCEEDED","retry_after_seconds":42}

# FastAPI with slowapi
from slowapi import Limiter
from slowapi.util import get_remote_address
limiter = Limiter(key_func=get_remote_address)

@app.get("/search")
@limiter.limit("20/minute")
def search(request: Request, q: str): ...

# Tiered: Free=100/hr, Pro=5000/hr, Enterprise=unlimited

← JWT Deep Dive Next: API Versioning →

Topic Quiz · 1 questions

Test your understanding before moving on

1. Which rate limiting strategy allows short bursts above the rate limit?

💡 Token bucket allows burst traffic up to the bucket capacity, then limits to the refill rate.

Quick Access

Rate Limiting

API Rate Limiting

Test your understanding before moving on