What is Rate Limiting?
Rate limiting caps how many requests a client may make to a service within a given time window. It protects APIs from abuse, accidental overload, and runaway clients, keeping the service available for everyone.
When a client exceeds the limit the server responds with HTTP 429 Too Many Requests, often with a Retry-After header telling the client when to try again.
Key points
- Caps requests per client per time window.
- Protects against abuse and overload.
- Exceeding it returns HTTP 429 Too Many Requests.
- A Retry-After header tells clients when to retry.
Example
HTTP/1.1 429 Too Many Requests Retry-After: 30 X-RateLimit-Remaining: 0
Common uses
- Protecting public APIs from abuse
- Enforcing usage tiers and quotas
- Preventing brute-force login attempts
- Keeping shared services stable