Implementing a rate limiting algorithm is only half the challenge. The other half—often more impactful on user experience—is policy design: deciding what to limit, who to identify, and how limits should interact across different dimensions.

Consider Stripe's API: They limit by API key, by endpoint, by IP address, and by card number being charged—all simultaneously. GitHub limits by authenticated user, but also by organization and by IP for unauthenticated requests. Cloudflare limits by zone, by plan tier, and by specific security rule.

In this page, we'll master the art of designing rate limiting policies that are fair, flexible, and aligned with business objectives—policies that protect infrastructure while enabling legitimate high-volume usage.

The first decision in rate limit policy design is identity: what entity are we tracking and limiting? The choice profoundly affects both security and user experience.

API Key Limiting

The most common approach for authenticated APIs. Each API key gets its own quota.

Advantages:

• Clear accountability (key owner is responsible)
• Easy to track, bill, and report usage
• Keys can be revoked if abused
• Natural alignment with business tiers

Challenges:

• Key sharing: Multiple users share one key to circumvent limits
• Key proliferation: Users create multiple keys to multiply limits
• Leaked keys: Attackers use stolen keys, impacting legitimate owners

Best Practices:

// Per-key limits with abuse detection
interface APIKeyPolicy {
  keyId: string;
  limits: {
    requestsPerMinute: number;
    requestsPerDay: number;
    concurrentRequests: number;
  };
  flags: {
    allowOverageWith429: boolean;  // Soft vs hard limit
    suspiciousActivityThreshold: number;  // Trigger investigation
  };
}

User ID Limiting

Limits tied to the authenticated user, regardless of which API keys or sessions they use.

Advantages:

• Prevents circumvention via multiple API keys
• Limits follow user across devices
• Better for consumer applications where users shouldn't manage keys

Challenges:

• Requires authentication before rate limiting
• For some endpoints, authentication may be expensive
• Session management adds complexity

Pattern: Key and User Limits Together

User: alice@example.com
  ├── API Key: key_prod_abc → 10,000 req/day (development key)
  ├── API Key: key_prod_xyz → 10,000 req/day (production key)
  └── User Total: 15,000 req/day (regardless of key used)

Result: Even with 2 keys, Alice can't exceed 15,000/day total

IP Address Limiting

Essential for unauthenticated endpoints and as a fallback layer.

Advantages:

• No authentication required
• Simple to implement
• Good for login/signup protection

Challenges:

• NAT: Many users behind same IP (universities, corporations)
• Proxies/VPNs: Users change IPs to bypass limits
• Mobile carriers: IPs shared among thousands of users
• CDN/Load Balancers: All traffic may appear from a few IPs

Best Practices:

function getRateLimitIP(request: Request): string {
  // Check for forwarded headers (from trusted proxies)
  const forwarded = request.headers['x-forwarded-for'];
  if (forwarded && isFromTrustedProxy(request)) {
    return forwarded.split(',')[0].trim();  // Client's real IP
  }
  
  // Check Cloudflare header
  const cfIP = request.headers['cf-connecting-ip'];
  if (cfIP) return cfIP;
  
  // Fallback to direct connection IP
  return request.socket.remoteAddress;
}

Handle Shared IPs:

• Set higher limits for known corporate/university IP ranges
• Use IP + User-Agent combination for finer granularity
• Implement CAPTCHA/challenge for IPs near limits

Organization/Tenant Limiting

For B2B SaaS, limits often apply at the organization level:

Organization: Acme Corp
  ├── User: alice → No individual limit
  ├── User: bob → No individual limit
  ├── User: carol → No individual limit
  └── Org Total: 1,000,000 req/day (shared pool)

Why Organization Limits:

• Align with billing (orgs pay for capacity)
• Large teams need more capacity than individuals
• Simplifies management (admins control allocation)
• Encourages teams to self-govern usage

Combined Org + User Limits:

Organization: 1,000,000 req/day
  └── Per-User within Org: 100,000 req/day

Result: Org can use 1M total, but no single user can use more than 100K
This prevents one runaway user from starving the team

Beyond who, we must decide what resource to limit. Different operations have vastly different costs, and a single global limit is often too coarse.

Global vs. Per-Endpoint Limits

Global Limit Only:

API Key: 10,000 requests/hour (any endpoint)

/api/search: 0 cost awareness
/api/export: 0 cost awareness
/api/simple: 0 cost awareness

Problem: A single /api/export call might consume 100× the resources of /api/simple, but both count as 1 request.

Per-Endpoint Limits:

API Key: 10,000 requests/hour (global)
  /api/search: 100 requests/minute
  /api/export: 10 requests/hour
  /api/simple: 1,000 requests/minute

Now expensive operations are protected separately, and cheap operations can sustain higher throughput.

Weighted Request Costing

Instead of per-endpoint limits, assign costs to operations:

API Key: 100,000 'credits' per hour

GET /api/simple: 1 credit
GET /api/search: 10 credits
POST /api/upload: 50 credits
POST /api/export: 500 credits

Advantages:

• Single unified quota is easier to explain
• Flexible: use cheap calls more, or fewer expensive calls
• Aligns well with usage-based billing

Disadvantages:

• Less intuitive for users ("how many credits do I have left?")
• Requires documenting costs for every operation
• Costs may need tuning as backend efficiency changes

Real-world rate limiting policies are rarely one-dimensional. Hierarchical rate limiting applies limits at multiple levels of a hierarchy, where requests must satisfy all applicable limits.

The Limit Hierarchy

Level 1: Infrastructure Limit (protect the platform)
    │
    └── Level 2: Organization Limit (capacity per paying customer)
            │
            └── Level 3: User Limit (fairness within org)
                    │
                    └── Level 4: Endpoint Limit (protect expensive operations)
                            │
                            └── Level 5: IP Limit (prevent credential stuffing)

Evaluation Order: A request must pass ALL levels:

1. Infrastructure: Is global capacity available? (10M req/min)
2. Organization: Has Acme Corp used their quota? (1M req/day)
3. User: Has alice@acme.com hit her limit? (100K req/day)
4. Endpoint: Has Alice hit /api/export limit? (10 req/hour)
5. IP: Has 203.0.113.50 been flagged? (100 req/min)

If ANY level fails → 429 Too Many Requests

Limit Inheritance and Defaults

Hierarchies should support inheritance for configuration simplicity:

defaults:
  user:
    requests_per_hour: 10000
  endpoint:
    GET: 1000/minute
    POST: 100/minute
    DELETE: 10/minute

overrides:
  organizations:
    acme_corp:
      user:
        requests_per_hour: 100000  # 10x default
      endpoints:
        POST /api/export:
          requests: 100/hour  # Override specific endpoint
          
  users:
    alice@acme.com:
      requests_per_hour: 500000  # Power user exception

Resolution: Most specific wins. Alice gets 500K/hour even though Acme's default is 100K.

Rate limits are often tied to business tiers—free, pro, enterprise—reflecting both capacity constraints and commercial value. Designing tier-based limits requires balancing fairness, monetization, and user experience.

Designing Tier Limits

Principle 1: Free Tier Should Be Genuinely Useful

• Too restrictive → No one tries your API
• Too generous → No reason to upgrade
• Sweet spot: Enough for development, hobby projects, and evaluation

Principle 2: Clear Upgrade Path

• Users should hit limits during growth, not during evaluation
• Provide warnings at 80%, 90%, 95% usage
• Make upgrading frictionless (one-click, no data migration)

Principle 3: Enterprise = Flexibility

• Large customers have unique needs
• Negotiate limits per contract
• Offer self-service limit increases with billing

Principle 4: Protect the Platform at All Tiers

• Even unlimited plans have fair use limits
• Reserve infrastructure capacity for everyone
• Burst limits prevent any single customer from impacting others

Soft Limits vs. Hard Limits

Soft Limits (Overages Allowed):

• Request continues, but user is billed for overage
• Better UX (service doesn't stop unexpectedly)
• Requires billing infrastructure
• Risk: Surprise bills (implement spend alerts!)

Hard Limits (Strict Enforcement):

• Request is rejected with 429
• Clear, predictable behavior
• Simpler implementation
• Risk: Frustrated users, lost revenue

Hybrid Approach (Common):

0-100%: Included in plan
100-200%: Overage charges apply
200%+: Hard rejection (must upgrade plan)

This allows some flexibility while preventing runaway usage.

Let's examine rate limiting policies from major API providers to understand how these concepts work in practice.

Stripe's Rate Limiting

Stripe limits at multiple dimensions simultaneously:

By API Key:

• Live mode: 100 requests/second
• Test mode: 25 requests/second
• Per-endpoint limits for expensive operations

By Resource:

• Create customer: 100/second
• Create payment intent: 100/second
• List operations: 100/second (but paginated)
• Idempotent requests: Cached, don't count against limit

By IP (Fraudulent Activity):

• Card creation from suspicious IPs: Aggressive limiting
• Geographic anomaly detection

Key Innovation: Stripe uses request ID idempotency. Retries with the same idempotency key don't consume quota—critical for payment reliability.

GitHub's Rate Limiting

Authenticated Requests:

• 5,000 requests/hour per user
• Resets each hour (fixed window)

Unauthenticated Requests:

• 60 requests/hour per IP
• Forces authentication for serious use

GraphQL API:

• Point-based system instead of request count
• Complex queries cost more points
• 5,000 points/hour

Search API:

• 30 requests/minute authenticated
• 10 requests/minute unauthenticated
• More restrictive due to expense

Key Innovation: GitHub's point-based GraphQL limiting accurately reflects query cost. Fetching 1 field costs 1 point; fetching 100 nested objects costs 100+ points.

OpenAI's Rate Limiting

Multi-Dimensional Limits:

• Requests per minute (RPM)
• Tokens per minute (TPM)
• Tokens per day (TPD)

Tier Progression:

Free: 3 RPM, 40K TPM
Tier 1: 3,500 RPM, 90K TPM ($5 min spend)
Tier 2: 5,000 RPM, 450K TPM ($50 min spend)
Tier 3: 5,000 RPM, 1M TPM ($100 min spend)
Tier 4: 10,000 RPM, 2M TPM ($250 min spend)
Tier 5: 10,000 RPM, 10M TPM ($1000 min spend)

Model-Specific Limits:

• GPT-4: Lower limits (expensive)
• GPT-3.5: Higher limits (cheaper)

Key Innovation: Token-based limiting accurately reflects LLM costs. A request generating 1,000 tokens costs 20× more than 50 tokens, reflected in TPM limits.

Production rate limiting requires dynamic policy management—the ability to update limits without deployment, create custom overrides, and respond to incidents rapidly.

Rate limiting policy design is as important as the underlying algorithms. Let's consolidate our understanding:

What's Next:

We've designed policies—but how do we communicate them to clients? In the final page, we'll explore Client Communication—the headers, error responses, and retry strategies that create a great developer experience even when rate limiting is engaged.