Rate Limiter — API Throttling

Rate limiting is a foundational infrastructure problem that appears in system design interviews across all levels because it sits at the intersection of distributed systems coordination, low-latency requirements, and API security. Every production API — from Stripe's payment endpoints to GitHub's REST API to AWS service quotas — relies on rate limiting to protect backend services from overload, prevent abuse, and enforce fair usage policies. Designing a rate limiter tests a candidate's understanding of distributed state management, atomicity guarantees, and the trade-offs between consistency and performance.

At scale, a rate limiter must make decisions for millions of unique API keys or user identifiers, each with potentially different quota configurations (free tier vs. premium tier). Every inbound request must pass through the rate limiter before reaching the backend, meaning the decision latency directly adds to every API call. A target of under 5ms at p99 for rate-limit decisions is typical in production systems. The limiter must also be consistent across all service instances — a user sending requests to different servers should see the same remaining quota, which rules out purely local counting approaches.

The token bucket algorithm is the industry-standard approach used by AWS, Stripe, GitHub, and most major API platforms. It naturally handles burst traffic: a user who has not made requests recently accumulates tokens up to the bucket capacity, allowing short traffic spikes without rejection. This is a significant advantage over fixed-window or sliding-window counters, which reject any instantaneous spike even if the average rate is well within limits. The burst tolerance property makes token bucket more user-friendly and reduces false-positive rejections during legitimate traffic bursts.

Beyond the core algorithm, interviewers expect candidates to discuss failure modes (what happens when Redis is down?), multi-tier rate limiting (per-user, per-route, per-IP), distributed coordination across multiple data centers, and the operational trade-offs between consistency and availability in the rate-limiting decision path.

The rate limiter architecture places a lightweight decision layer between clients and the protected backend, ensuring that all traffic is evaluated before reaching application services. The Client sends requests to the RateLimiter component, which extracts the rate-limit key (user ID or API key) from request headers and queries LimitCache (Redis) with an atomic Lua script. The Lua script performs the entire token bucket algorithm in a single Redis round-trip: it calculates how many tokens to refill based on elapsed time since the last access and the configured refill rate, caps the token count at bucket capacity, attempts to consume one token, and returns the decision along with remaining tokens and reset timestamp.

If the request is allowed (tokens were available), the RateLimiter forwards it to the Main Load Balancer, which distributes traffic across BackendService pods using round-robin. The backend processes the request normally and returns the response through the same path. Response headers include X-RateLimit-Remaining and X-RateLimit-Reset to inform clients of their quota status. If the token bucket is empty (rate limit exceeded), the RateLimiter immediately returns HTTP 429 Too Many Requests with a Retry-After header indicating when the next token will be available. No traffic reaches the backend during rejection, which is the core protective property.

The LimitCache (Redis) stores per-key token bucket state using approximately 100 bytes per key: the current token count and the last refill timestamp. A 3-node Redis Cluster provides high availability and handles up to 20,000 concurrent connections. Token bucket entries expire via Redis TTL after one hour of inactivity, preventing unbounded memory growth from inactive keys. At 100 million active keys, the total memory footprint is approximately 10GB — well within the capacity of a 13GB Redis instance.

The RateLimiter itself is stateless and horizontally scalable. Multiple instances can run behind a load balancer, all querying the same centralized Redis cluster for consistent rate-limit state. The token bucket configuration (capacity of 100 tokens, refill rate of 10 tokens per second) is tunable per key or per tier, enabling differentiated rate limits for free and premium API consumers.