rate-limiting-implementation | aj-geddes-useful-ai-prompts-4 | ClaudePluginHub

Skill

rate-limiting-implementation

From aj-geddes-useful-ai-prompts-4

Implements rate limiting, throttling, API quotas, and backpressure with Token Bucket (TypeScript), Sliding Window (Python), Redis distributed limiting, and Express middleware to protect APIs from abuse and manage load.

api-development

Install

$

npx claudepluginhub joshuarweaver/cascade-code-languages-misc-1 --plugin aj-geddes-useful-ai-prompts-4

Tool Access

This skill uses the workspace's default tool permissions.

Preview

- [Overview](#overview)

Supporting Assets

references/adaptive-rate-limiting.mdreferences/express-middleware.mdreferences/redis-based-distributed-rate-limiter.mdreferences/sliding-window-algorithm-python.mdreferences/tiered-rate-limiting.mdreferences/token-bucket-algorithm-typescript.mdscripts/validate-api.shtemplates/api-scaffold.yaml

SKILL.md

Similar Skills

skill-lookup

Searches, retrieves, and installs Agent Skills from prompts.chat registry using MCP tools like search_skills and get_skill. Activates for finding skills, browsing catalogs, or extending Claude.

159.9k

prompt-lookup

Searches prompts.chat for AI prompt templates by keyword or category, retrieves by ID with variable handling, and improves prompts via AI. Use for discovering or enhancing prompts.

159.9k

next-compile

1 file

Checks Next.js compilation errors using a running Turbopack dev server after code edits. Fixes actionable issues before reporting complete. Replaces `next build`.

vercel-next-js-2

139.2k

Stats

Stars180

Forks28

Last CommitMar 3, 2026

Actions

View Source View Plugin View on GitHub View README

Tags

express-middleware

Rate Limiting Implementation

Table of Contents

Overview
When to Use
Quick Start
Reference Guides
Best Practices

Overview

Implement rate limiting and throttling mechanisms to protect your services from abuse, ensure fair resource allocation, and maintain system stability under load.

When to Use

Protecting public APIs from abuse
Preventing DOS/DDOS attacks
Ensuring fair resource usage across users
Implementing API quotas and billing tiers
Managing system load and backpressure
Enforcing SLA limits
Controlling third-party API usage
Database connection management

Quick Start

Minimal working example:

interface TokenBucketConfig {
  capacity: number;
  refillRate: number; // tokens per second
  refillInterval: number; // milliseconds
}

class TokenBucket {
  private tokens: number;
  private lastRefill: number;
  private readonly capacity: number;
  private readonly refillRate: number;
  private readonly refillInterval: number;
  private refillTimer?: NodeJS.Timeout;

  constructor(config: TokenBucketConfig) {
    this.capacity = config.capacity;
    this.tokens = config.capacity;
    this.refillRate = config.refillRate;
    this.refillInterval = config.refillInterval;
    this.lastRefill = Date.now();

    this.startRefill();
  }

  private startRefill(): void {
// ... (see reference guides for full implementation)

Reference Guides

Detailed implementations in the references/ directory:

Guide	Contents
Token Bucket Algorithm (TypeScript)	Token Bucket Algorithm (TypeScript)
Redis-Based Distributed Rate Limiter	Redis-Based Distributed Rate Limiter
Express Middleware	Express Middleware
Sliding Window Algorithm (Python)	Sliding Window Algorithm (Python)
Tiered Rate Limiting	Tiered Rate Limiting
Adaptive Rate Limiting	Adaptive Rate Limiting

Best Practices

✅ DO

Use distributed rate limiting for multi-server deployments
Implement multiple rate limit tiers (per second, minute, hour, day)
Return proper HTTP status codes (429 Too Many Requests)
Include Retry-After header in responses
Log rate limit violations for monitoring
Implement graceful degradation
Use Redis or similar for persistence
Consider cost-based rate limiting (expensive operations cost more)
Implement burst allowances for legitimate traffic spikes
Provide clear API documentation about limits

❌ DON'T

Store rate limit data in application memory for distributed systems
Use fixed window counters without considering edge cases
Forget to clean up expired data
Block all requests from an IP due to one bad actor
Set limits too restrictive for legitimate use
Ignore the impact of rate limiting on user experience
Fail closed (deny all) when rate limiter fails