Rate Limiting Made Simple: What It Is and Why It Matters

Rahul BudhirajaRahul Budhiraja
3 min read

Breaking down complex tech topics into real-world logic.

🧊 Introduction

Ever wondered how services like Instagram prevent you from endlessly refreshing your feed, or how Gmail blocks bots from spamming your inbox? That’s rate limiting in action.

In this post, I’ll break down what rate limiting is, why it matters, and how different strategies work — with simple real-world analogies that you won’t forget.

⚙️ What Is Rate Limiting?

Rate limiting is a technique used to control the number of requests a client (like a user, browser, or app) can make to a service or API in a given time window.

It helps services:

  • ⛔ Prevent abuse (e.g., bots or DDoS attacks)

  • ⚖️ Ensure fair usage

  • 🧠 Optimize resource usage and avoid server overload

🍿 Real-World Analogy: The Movie Ticket Counter

Imagine a movie theater that lets only 5 people buy tickets every 10 minutes. If you're the 6th person in line, you have to wait until the next time window.

This is exactly what APIs do:

  • ✅ Allow: Up to 5 requests in 10 minutes

  • ❌ Block or delay: Any requests beyond that until the next cycle

🧪 Common Rate Limiting Algorithms

Let’s break down four popular strategies with simple examples:

1. Token Bucket

Picture a bucket that fills with tokens at a steady rate. Each request “spends” a token. If the bucket is empty, you have to wait.

✅ Good for allowing bursts
📊 Used by: Google APIs, Stripe

2. Leaky Bucket

Think of a bucket with a small hole. Water (requests) drips out at a fixed rate. If too much water is poured in at once, the overflow is lost.

✅ Smooths out traffic
📊 Used for fair, consistent flows

3. Fixed Window Counter

Example: Allow 100 requests every 60 seconds. It resets after every time window.

⚠️ Downside: Spikes can still happen at window boundaries
📊 Simple but not precise

4. Sliding Log Window

Keeps a timestamped log of every request and counts how many occurred in the last X seconds.

✅ Precise
🧠 More memory usage, but smarter

🛠️ Real API Example: GitHub

GitHub’s public API uses fixed window limits. If you're not authenticated, you get only 60 requests per hour. Try more, and you get this:

{
  "message": "API rate limit exceeded",
  "documentation_url": "https://docs.github.com/rest/overview/resources-in-the-rest-api#rate-limiting"
}

You must then wait or use OAuth tokens to increase the limit.

👨‍💻 Why Developers Should Care

  • 🔗 When building apps that call 3rd-party APIs, you must respect their limits.

  • 🔄 If you're building your own backend, you need to implement rate limiting to protect your system.

  • 🧯 It’s also a critical part of security, user experience, and scalability.

🧠 Final Thoughts

Rate limiting is more than a backend detail — it's a powerful tool that makes modern systems fair, efficient, and resilient.

Understanding this concept — and applying the right strategy — is essential for any developer working with APIs or building distributed systems.

💬 Want to Learn More?

If you enjoyed this breakdown and want more practical tech guides like this, connect on LinkedIn!
https://www.linkedin.com/in/rahul-budhiraja-323a60216/

0
Subscribe to my newsletter

Read articles from Rahul Budhiraja directly inside your inbox. Subscribe to the newsletter, and don't miss out.

rate-limitingDevopsengineeringSystem DesignSecurity

Written by

Rahul Budhiraja
Rahul Budhiraja