What is rate limiting and how is it communicated in REST APIs?
Answer
Rate limiting restricts how many requests a client can make in a time window, protecting the API from abuse and ensuring fair usage. Common algorithms include token bucket (smooth burst tolerance), sliding window (accurate, no boundary spikes), and fixed window (simple but allows burst at window boundaries). Rate limit status is communicated via standard headers: X-RateLimit-Limit: 1000 (total allowed), X-RateLimit-Remaining: 42 (left in current window), X-RateLimit-Reset: 1609459200 (Unix timestamp when the window resets). When the limit is exceeded, return 429 Too Many Requests with a Retry-After header indicating seconds to wait. Apply different limits by tier (free vs paid), by endpoint (write operations cost more), and by IP for unauthenticated requests.
Previous
What are the pagination strategies in REST APIs?
Next
How does HTTP caching work in REST APIs with ETag and Cache-Control?
More REST API Design Questions
View all →- Intermediate What is HATEOAS and how is it implemented?
- Intermediate What are the main API versioning strategies in REST and what are their tradeoffs?
- Intermediate What are the pagination strategies in REST APIs?
- Intermediate How does HTTP caching work in REST APIs with ETag and Cache-Control?
- Intermediate What are the OAuth 2.0 grant types and when do you use each?