Apply per-route and per-user rate limits using RateLimiter and the throttle middleware.
Rate Limiting
// Define rate limiters (AppServiceProvider::boot)
RateLimiter::for("api", function (Request $request) {
return Limit::perMinute(60)->by($request->user()?->id ?: $request->ip());
});
RateLimiter::for("login", function (Request $request) {
return [
Limit::perMinute(5)->by($request->ip()),
Limit::perDay(20)->by($request->input("email")),
];
});
// Apply to routes
Route::middleware(["throttle:api"])->group(function () {
Route::apiResource("posts", PostController::class);
});
Route::post("/login", ...)->middleware("throttle:login");
// Manual throttle
if (RateLimiter::tooManyAttempts("email:".$email, 5)) {
$seconds = RateLimiter::availableIn("email:".$email);
return response()->json(["message" => "Too many attempts. Wait $seconds seconds."], 429);
}
RateLimiter::hit("email:".$email, 60);