api-rate-limitinglisted

# API Rate Limiting & Throttling Rate limiting caps how many requests a client may make in a time window. It protects against brute-force attacks, DDoS, runaway clients, and noisy-neighbor abuse, and enforces fair usage / per-tier quotas. In any multi-instance deployment the counter **must live in a shared store** (Redis), not in process memory — otherwise each instance enforces its own partial limit and the real limit is `N × max`. ## Use this skill when - Protecting endpoints from brute force, credential stuffing, or DDoS. - Enforcing per-user / per-tenant request quotas (e.g. free vs pro vs enterprise tiers). - Adding throttling at an API gateway or service edge. - Stricter limits on sensitive endpoints (login, register, password-reset) or expensive operations (report generation, exports). ## Algorithms (pick per need) | Algorithm | Behavior | Use | | --- | --- | --- | | **Fixed window** | Count per discrete window (e.g. per minute) | Simplest; allows bursts at window edges | | **Sliding window** | Count over a rolling interval | Smoother; avoids the edge-burst of fixed windows | | **Token bucket** | Tokens refill at a steady rate; each request spends one; bucket allows a burst up to capacity | Best when you want a steady rate but tolerate short bursts | | **Leaky bucket** | Requests drain at a fixed rate; overflow is rejected | Smooths output to a constant rate | The `INCR` + `EXPIRE` pattern below is a fixed/sliding window in Redis; a token bucket is implemented wi