Getting Started with API Rate Limiting: Protect Your APIs in Under 5 Minutes
Learn how to implement enterprise-grade rate limiting for your APIs using Rately. From basic setup to advanced policies - protect your services from abuse and implement fair usage.
Tutorial Expert
• 8 min read
Getting Started with API Rate Limiting
API rate limiting is essential for protecting your services from abuse, ensuring fair usage, and maintaining system stability. With Rately, you can implement enterprise-grade rate limiting in under 5 minutes without managing any infrastructure.
Why Rate Limiting Matters
Before diving into implementation, let's understand why rate limiting is crucial:
- Prevent Abuse: Stop malicious users from overwhelming your API
- Ensure Fair Usage: Distribute resources fairly among legitimate users
- Cost Control: Prevent unexpected infrastructure costs from traffic spikes
- SLA Compliance: Maintain service quality for all users
- Revenue Protection: Enable usage-based billing and tier enforcement
Quick Start: Proxy Mode
The fastest way to protect your API is using Rately's proxy mode. Your API traffic flows through Rately's edge network where limits are enforced before requests reach your servers.
Step 1: Sign Up and Create Your First Policy
# Create your account at rately.dev, then create a policy via API
curl -X POST https://api.rately.dev/v1/policies \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "Basic API Protection",
"match": "/api/*",
"limit": 1000,
"window": "1h",
"key_template": "ip:{client_ip}"
}'
Step 2: Point Your Traffic Through Rately
Update your DNS to route API traffic through Rately:
# Instead of: api.yourservice.com → your-origin-server.com
# Use: api.yourservice.com → CNAME → proxy.rately.dev
# In your DNS provider:
api.yourservice.com CNAME proxy.rately.dev
Step 3: Configure Your Origin
Tell Rately where to forward allowed requests:
{
"origin": "https://your-origin-server.com",
"policies": ["basic-api-protection"],
"headers": {
"preserve_client_ip": true,
"add_rate_limit_headers": true
}
}
That's it! Your API is now protected with rate limiting at Cloudflare's edge.
Understanding Rate Limiting Policies
Rately's policies are flexible and powerful. Here's how they work:
Basic Structure
{
"name": "Policy Name",
"match": "/api/endpoint/*",
"limit": 100,
"window": "1m",
"key_template": "user:{user_id}",
"algorithm": "token_bucket"
}
Key Components:
- match: Which requests this policy applies to
- limit: Maximum requests allowed
- window: Time window (1s, 1m, 1h, 1d, 1mo)
- key_template: How to identify users/entities
- algorithm:
token_bucket(burst) orsliding_window(strict)
Common Rate Limiting Patterns
1. Per-User Rate Limiting
Limit each user to specific quotas:
{
"name": "Per User API Limits",
"match": "/api/*",
"limit": 1000,
"window": "1h",
"key_template": "user:{jwt.sub}",
"extract_user_from": "jwt"
}
2. Tiered Rate Limiting
Different limits based on subscription plans:
{
"name": "Tiered Limits",
"match": "/api/*",
"limit": 100,
"window": "1h",
"key_template": "user:{jwt.sub}",
"overrides": [
{
"when": {"jwt.plan": "pro"},
"limit": 1000
},
{
"when": {"jwt.plan": "enterprise"},
"limit": 10000
}
]
}
3. Endpoint-Specific Limits
Different limits for different endpoints:
[
{
"name": "Expensive AI Endpoint",
"match": "/api/ai/generate",
"limit": 10,
"window": "1m",
"key_template": "user:{api_key}"
},
{
"name": "Regular API Calls",
"match": "/api/*",
"limit": 1000,
"window": "1m",
"key_template": "user:{api_key}"
}
]
Advanced Configuration
Custom Headers for User Identification
{
"key_template": "user:{header.x-user-id}",
"fallback_key": "ip:{client_ip}"
}
Burst Handling
Allow temporary bursts but maintain average rate:
{
"algorithm": "token_bucket",
"limit": 100,
"window": "1m",
"burst_size": 200
}
Monitoring and Response Headers
Rately adds standard rate limit headers to all responses:
HTTP/1.1 200 OK
RateLimit-Limit: 1000; window=3600
RateLimit-Remaining: 742
RateLimit-Reset: 1642678800
# When rate limited:
HTTP/1.1 429 Too Many Requests
Retry-After: 1800
RateLimit-Limit: 1000; window=3600
RateLimit-Remaining: 0
RateLimit-Reset: 1642678800
Testing Your Setup
Verify your rate limiting works:
# Test normal requests
curl -i https://api.yourservice.com/endpoint
# Test rate limiting (make rapid requests)
for i in {1..105}; do
curl -s -o /dev/null -w "%{http_code} " https://api.yourservice.com/endpoint
done
# Should see 200s followed by 429s
Best Practices
- Start Conservative: Begin with generous limits and tighten based on usage patterns
- Monitor Closely: Watch for legitimate users hitting limits
- Provide Clear Errors: Return helpful 429 responses with retry information
- Use Appropriate Keys: Choose user identification that matches your use case
- Plan for Growth: Set limits that scale with your user base
Next Steps
Now that you have basic rate limiting in place:
- Add Usage Analytics: Monitor which users and endpoints are hitting limits
- Implement Billing: Connect usage data to Stripe for metered billing
- Create Alerts: Get notified when abuse patterns are detected
- Advanced Policies: Implement dynamic limits based on system load
Troubleshooting Common Issues
Q: Legitimate users are being rate limited
A: Check your key_template - ensure you're identifying users correctly, not just by IP
Q: Rate limits aren't working
A: Verify your DNS CNAME is pointing to proxy.rately.dev and policies are active
Q: Getting 502/503 errors A: Check your origin URL is correct and accessible from our edge network
Conclusion
With Rately, implementing robust API rate limiting takes minutes, not weeks. You get enterprise-grade protection without managing Redis clusters or complex rate limiting logic. Start with simple IP-based limits and evolve to sophisticated per-user, per-plan policies as your API grows.
Ready to protect your API? Sign up for Rately and get your first 100K requests free.