Rate Limiting Algorithms: Token Bucket, Leaky Bucket, and Sliding Windows
Rate limiting algorithms like token bucket, leaky bucket, and sliding windows help prevent API abuse and ensure system stability.
Rate limiting is a crucial mechanism to control the frequency of requests to an API or service, preventing abuse and ensuring system stability. It determines how systems allocate finite capacity across users, services, and regions. Choosing the right rate limiting algorithm is essential to prevent boundary exploits, uneven load, or distributed consistency failures.
What happened
The fixed window algorithm divides time into discrete intervals and tracks the number of requests within each interval. However, it allows boundary burst amplification, where a client can send a large number of requests at the boundary of two intervals. The token bucket algorithm generates tokens at a steady rate, which are required to process requests, allowing bursts of traffic while maintaining an overall rate limit. The leaky bucket algorithm is best for shaping outbound or downstream traffic.
The sliding window algorithm models recent history and is a practical compromise for scale. The sliding log algorithm is the most accurate but can become memory-intensive.
Why it matters
Rate limiting is essential to prevent abuse, ensure system stability, and maintain fair resource allocation among users. It helps mitigate risks such as denial-of-service attacks, brute-force attempts, and resource exhaustion. Proper rate limiting ensures that legitimate users are not rate-limited into unresponsiveness.
Pros and Cons
- Prevents abuse and ensures system stability
- Maintains fair resource allocation among users
- Helps mitigate risks such as denial-of-service attacks and brute-force attempts
- Can be complex to implement and manage
- May require significant resources and infrastructure
- Can be challenging to choose the right algorithm
How to think about it
When choosing a rate limiting algorithm, consider the specific requirements of your system, including the type of traffic, the level of burst tolerance, and the need for fairness and abuse resistance. A useful mental model is to consider token bucket as modeling capacity accumulation, sliding window as modeling recent history, and fixed window as modeling discrete accounting periods.
FAQ
What is rate limiting?+
What is the token bucket algorithm?+
What is the sliding window algorithm?+
- engineering·3 min readIrish datacenters now guzzle 23% of the country's electricity
Ireland's datacenters consumed 23% of the country's electricity in 2025, rising 10% from 2024 despite restrictions on new grid connections.
- engineering·3 min readClaude Code incurs 33k token overhead per request versus OpenCode’s 7k: cost and cache implications
Claude Code adds ~33,000 tokens before reading a prompt, while OpenCode adds ~7,000. We explain why this matters for cost, latency, and caching.
- engineering·3 min readWhy AI 2040 Scenarios Miss Real-World Constraints and What Builders Should Expect
A look at AI 2040 forecasts, their gaps with hardware realities, and practical guidance for engineers building tomorrow’s systems.
The week’s highest-signal tech and AI stories, synthesized into a five-minute read. One email a week, no spam, unsubscribe anytime.