API Rate Limiting Best Practices 2026
Why Rate Limiting Exists
Every API has limits. Whether it's 100 requests per minute or 10,000 per day, rate limiting protects API providers from abuse, ensures fair usage, and keeps infrastructure costs manageable.
As a developer consuming APIs, understanding rate limits isn't optional — it's the difference between a reliable application and one that randomly breaks at scale.
Common Rate Limiting Strategies
Fixed Window
The simplest approach. You get N requests per time window (e.g., 100 requests per minute). The counter resets at the start of each window.
- Pro: Easy to understand and implement
- Con: Burst traffic at window boundaries can cause issues
Sliding Window
Instead of resetting at fixed intervals, the window slides with each request. More fair, but harder to predict your remaining quota.
- Pro: Smoother rate enforcement
- Con: Harder to calculate remaining requests
Token Bucket
You start with a bucket of tokens. Each request consumes one token. Tokens refill at a steady rate. Allows short bursts while enforcing an average rate.
- Pro: Handles burst traffic gracefully
- Con: Can be confusing — "I had 100 tokens, now I have 37?"
Leaky Bucket
Requests queue up and are processed at a constant rate. Excess requests overflow (get rejected). Used by APIs that need strict throughput control.
- Pro: Predictable processing rate
- Con: Adds latency during bursts
Reading Rate Limit Headers
Most APIs tell you their limits via HTTP headers. Here are the standard ones:
HTTP/1.1 200 OK
X-RateLimit-Limit: 1000
X-RateLimit-Remaining: 847
X-RateLimit-Reset: 1709510460
Retry-After: 30
| Header | Meaning |
|---|---|
X-RateLimit-Limit | Max requests allowed in the window |
X-RateLimit-Remaining | Requests left in the current window |
X-RateLimit-Reset | Unix timestamp when the window resets |
Retry-After | Seconds to wait before retrying (on 429) |
Always parse these headers. Don't guess — let the API tell you exactly when you can send the next request.
Handling 429 Too Many Requests
When you hit a rate limit, the API returns HTTP 429. Here's how to handle it properly:
Exponential Backoff with Jitter
The gold standard for retry logic. Wait progressively longer between retries, with random jitter to prevent thundering herd problems.
async function fetchWithRetry(url, options, maxRetries = 5) {
for (let attempt = 0; attempt < maxRetries; attempt++) {
const response = await fetch(url, options);
if (response.status !== 429) return response;
const retryAfter = response.headers.get('Retry-After');
const baseDelay = retryAfter
? parseInt(retryAfter) * 1000
: Math.pow(2, attempt) * 1000;
// Add jitter: random delay between 0 and baseDelay
const jitter = Math.random() * baseDelay;
const delay = baseDelay + jitter;
console.log(`Rate limited. Retrying in ${Math.round(delay)}ms...`);
await new Promise(resolve => setTimeout(resolve, delay));
}
throw new Error('Max retries exceeded');
}
Key Rules for Retries
- Always respect
Retry-After— If the API tells you when to retry, listen - Add jitter — Without it, all your retried requests hit at the same time
- Set a max retry count — Don't retry forever
- Log rate limit events — If you're hitting limits regularly, you have a design problem
Proactive Strategies
Don't wait for 429 errors. Design your application to stay within limits from the start.
1. Cache Aggressively
The fastest API call is the one you don't make. Cache responses at every layer:
// Simple in-memory cache with TTL
const cache = new Map();
async function cachedFetch(url, ttlMs = 60000) {
const cached = cache.get(url);
if (cached && Date.now() - cached.time < ttlMs) {
return cached.data;
}
const response = await fetch(url);
const data = await response.json();
cache.set(url, { data, time: Date.now() });
return data;
}
2. Batch Requests
Many APIs offer batch endpoints. Use them instead of making individual calls.
// Instead of this (10 API calls):
for (const id of userIds) {
await fetch(`/api/users/${id}`);
}
// Do this (1 API call):
await fetch(`/api/users?ids=${userIds.join(',')}`);
3. Use Webhooks
Instead of polling an API every 30 seconds to check for changes, register a webhook and let the API notify you.
- Polling: 2,880 requests/day per resource
- Webhooks: 0 requests — the API pushes updates to you
4. Implement a Request Queue
For high-volume applications, queue outgoing API calls and process them at a controlled rate:
class RateLimitedQueue {
constructor(requestsPerSecond) {
this.interval = 1000 / requestsPerSecond;
this.queue = [];
this.processing = false;
}
async add(fn) {
return new Promise((resolve, reject) => {
this.queue.push({ fn, resolve, reject });
this.process();
});
}
async process() {
if (this.processing) return;
this.processing = true;
while (this.queue.length > 0) {
const { fn, resolve, reject } = this.queue.shift();
try {
resolve(await fn());
} catch (err) {
reject(err);
}
await new Promise(r => setTimeout(r, this.interval));
}
this.processing = false;
}
}
// Usage: max 10 requests per second
const queue = new RateLimitedQueue(10);
await queue.add(() => fetch('/api/data'));
5. Monitor Your Usage
Track your API consumption proactively. Set alerts at 80% of your limit so you can optimize before you hit errors.
Rate Limit Comparison Across Popular APIs
| API | Free Tier Limit | Paid Limit | Reset Window |
|---|---|---|---|
| GitHub | 60/hr (unauth), 5,000/hr (auth) | 15,000/hr | 1 hour |
| OpenAI | Varies by model | Varies by tier | 1 minute |
| Stripe | 100/sec (live), 25/sec (test) | Custom | Per second |
| Twitter/X | 1,500 tweets/month | 10,000/month | Monthly |
| Google Maps | 28,500/day | Pay-per-use | Daily |
When You're the API Provider
If you're building an API, here's how to implement rate limiting well:
- Return clear headers — Always include
X-RateLimit-*headers - Use 429 status codes — Not 403 or 500
- Include
Retry-After— Tell consumers exactly when to retry - Offer tiered limits — Different plans should have different limits
- Document your limits — Don't make developers discover them by hitting them
Conclusion
Rate limiting is a fact of life when working with APIs. The best developers don't fight it — they design around it with caching, batching, queuing, and smart retry logic.
Browse our API directory to compare rate limits across hundreds of APIs and find the ones that fit your usage patterns.
Implementing Rate Limiting on Your Own API
If you're building an API, the implementation choices matter as much as the client-facing behavior. The most common production approach is Redis-based rate limiting using the sliding window log or token bucket algorithm, with the Upstash Rate Limit library or the express-rate-limit + rate-limit-redis combination for Express applications.
The Redis sliding window algorithm stores a sorted set of request timestamps per client identifier (IP, API key, or user ID). On each request, it counts entries in the window, atomically adds the new timestamp, and removes expired entries. This approach handles concurrent requests correctly — unlike simple counter-based approaches that can be defeated by parallel requests racing before the counter increments.
For distributed systems, rate limiting must be centralized. Local in-memory rate limiting per server instance breaks when you run multiple instances: each server tracks its own counter independently, allowing each instance's limit in parallel. Either use Redis as the shared state store, or use an API gateway (Kong, AWS API Gateway, Cloudflare) that centralizes rate limiting before requests reach your servers.
Three rate limit identifiers serve different purposes: IP-based limits protect against anonymous abuse and DDoS; user/account-based limits enforce per-customer quotas; and API-key-based limits allow per-integration granularity. Most production APIs use all three simultaneously — IP limits for anonymous requests and bot protection, user limits for authenticated requests, and key limits for partner integrations with custom tiers.
Rate Limit Headers Standard
The IETF published RFC 9110 (HTTP Semantics, 2022) and the draft RateLimit header specification provides a standardized alternative to the ad-hoc X-RateLimit-* headers used by most APIs today. The draft spec defines three standardized headers:
RateLimit-Limit replaces X-RateLimit-Limit. RateLimit-Remaining replaces X-RateLimit-Remaining. RateLimit-Reset replaces X-RateLimit-Reset. The standardized headers use a slightly different format that supports multiple rate limits (per-second AND per-day) in a single header value, and the reset value is expressed as seconds remaining rather than an absolute Unix timestamp. Adoption is growing: Cloudflare, GitHub, and several major API providers have added support alongside their legacy X-RateLimit-* headers.
As a consumer, parsing both formats defensively ensures compatibility with both old and new APIs:
function parseRateLimitHeaders(headers: Headers) {
const remaining =
headers.get('RateLimit-Remaining') ??
headers.get('X-RateLimit-Remaining');
const reset =
headers.get('RateLimit-Reset') ??
headers.get('X-RateLimit-Reset');
const retryAfter = headers.get('Retry-After');
return {
remaining: remaining ? parseInt(remaining) : null,
resetAt: reset ? new Date(parseInt(reset) * 1000) : null,
retryAfterMs: retryAfter ? parseInt(retryAfter) * 1000 : null,
};
}
Rate Limiting in Distributed Systems
Rate limiting becomes substantially more complex at scale. A few patterns that emerge in high-traffic production systems:
Sliding window vs fixed window trade-offs at scale. Sliding window is more accurate but requires more Redis operations per request (sorted set operations are O(log N)). For very high-throughput APIs (>10K RPS), the Redis overhead becomes significant. Many teams use fixed window rate limiting at the edge (for speed) and sliding window at the application layer (for accuracy), accepting the small spike at window boundaries at the edge in exchange for reduced Redis load.
Rate limit propagation lag. In global deployments with regionally sharded Redis, a rate limit applied in US-East may not be visible in EU-West for 20-100ms. For burst prevention, this propagation lag is acceptable. For strict enforcement (compliance-driven quotas), you need strong consistency — which means routing all requests through a single Redis primary or using a distributed database with synchronous replication.
Graceful degradation of rate limiting. If your Redis cluster goes down, should rate limiting fail open (all requests pass) or fail closed (all requests blocked)? Most teams choose fail open with alerting, on the reasoning that customer-facing downtime from over-blocking is worse than brief rate limit bypass during infrastructure failure. This decision should be made explicitly and documented in your runbook.
Per-endpoint vs global limits. A single global rate limit per API key is simple but coarse — it treats a cheap health check endpoint and an expensive AI inference endpoint identically. Per-endpoint limits allow you to impose stricter limits on expensive operations (GPT-4o calls, database-heavy exports, large file uploads) while allowing high frequency on cheap endpoints (status checks, lightweight reads). The implementation cost is higher — you need one Redis key per (client, endpoint) tuple — but the protection is more targeted. Most APIs start with a global limit and add per-endpoint limits for their most expensive operations once those bottlenecks emerge in production.
Client-Side Rate Limit Handling
Most rate limiting documentation focuses on server-side implementation — algorithm selection, distributed counters, header standards. How clients handle rate limit responses is equally important. A client that blindly retries 429 responses in a tight loop causes problems for both parties.
The correct client behavior when receiving a 429 depends on the rate limit type. For per-second limits (burst limits), a short backoff of 100-500ms before retrying is appropriate — the burst window clears quickly. For per-hour or per-day quota limits, a short backoff is pointless. The client should read the Retry-After or X-RateLimit-Reset header and wait until the specified time before retrying. Retrying a quota exhaustion every 500ms wastes API quota on retries that cannot succeed.
Exponential backoff with jitter is the standard retry pattern for transient rate limit errors. Pure exponential backoff (1s, 2s, 4s, 8s...) creates thundering herd problems when many clients experience a rate limit simultaneously — they all back off for the same duration and then retry at the same moment, recreating the load that triggered the limit. Adding jitter (randomizing backoff within a range, e.g., wait between 0.5 * delay and 1.5 * delay) spreads retry load over time and smooths reentry.
HTTP client libraries handle rate limits inconsistently. Axios, the browser Fetch API, and most standard HTTP clients have no built-in rate limit handling — you implement retry logic at the application layer. Libraries like p-retry (Node.js) or tenacity (Python) provide configurable retry logic with backoff strategies as a drop-in. For APIs you call at high volume, wrapping your HTTP client with retry-on-429 logic is worth the upfront investment — it prevents one API's rate limits from cascading into visible errors in your application.
Rate limit budgets matter for multi-tenant applications. If your application proxies API calls on behalf of multiple users and you use a single shared API key, one user's high usage can exhaust the rate limit and affect all other users. Solutions: per-user API keys where the API supports it (Stripe's connected account API keys, for example), or application-level per-user rate limiting that prevents any single user from consuming more than a defined fraction of the total budget.
Proactive rate limit management — staying well below the limit rather than reacting to 429 responses — is the approach professional API integrations use. Read X-RateLimit-Remaining on every response and slow down before exhausting the budget. If you're at 80% of your rate limit budget with no urgency on the remaining requests, add delays between calls. This keeps your integration fast for urgent requests while preventing 429 errors entirely for batch or background operations. Reactive rate limit handling is necessary for resilience; proactive management is what prevents rate limits from ever impacting users in the first place. The best-implemented API integrations treat rate limit headers as a first-class signal — logging remaining quota alongside response time and status code, so engineers can see quota trend lines alongside latency in their observability dashboards and catch approaching exhaustion before users do.
Methodology
Algorithm descriptions based on Martin Fowler's "Rate Limiting" pattern catalog and the Stripe engineering blog's published rate limiting implementation. Header standard based on IETF draft-ietf-httpapi-ratelimit-headers (draft 7, March 2025). Code examples tested with Node.js 22, express-rate-limit v7, and rate-limit-redis v4. Comparison table figures sourced from official provider documentation as of March 2026.
Related: API Rate Limiting Best Practices for 2026, Best Currency and Exchange Rate APIs in 2026, How AI Is Transforming API Design and Documentation