Skip to content
·11 min read

What Is Rate Limiting and How It Protects Your App

The traffic control system that keeps your app from being overwhelmed by too many requests

Share

A Replit user recently shared their horror story. They launched an AI-powered app, went to bed, and woke up to a $607.70 bill. Not for the month. For a few days. They were projecting $8,000 per month from a single app that barely had users.

The app worked perfectly. It just had no limits on how often it could call external APIs. Bots hammered the endpoint, the meter kept running, and there was nothing standing between the internet and their wallet.

That missing thing was rate limiting.

The Bouncer at the Door

Think of your app as a nightclub. Anyone with a valid ID can walk in. That is authentication, and most AI-built apps handle it fine. But authentication only answers the question "are you allowed in?" It does not answer the much more important question: "how many times can you come in?"

Rate limiting is the bouncer who counts.

The bouncer lets you into the club. No problem. But if you walk out and try to re-enter two minutes later, and then again, and again, the bouncer starts paying attention. After your fifth re-entry in thirty minutes, the bouncer stops you. "You have hit your limit. Come back in an hour."

This is not punishment. It is protection. One person cycling in and out every two minutes clogs the entrance and degrades the experience for everyone else. In software terms, one user or bot sending hundreds of requests per second can overwhelm your server, spike your costs, and slow things down for all your other users.

Why This Confuses Everyone at First

This confuses everyone at first because rate limiting feels unnecessary when your app is small. Ten users, a few requests per minute, everything runs smoothly. Why add a bouncer to a club with ten people?

Because your club is not private. Your app is on the open internet. Bots, scrapers, and misconfigured clients can send thousands of requests without you knowing. And if your app calls paid external APIs (like OpenAI or Anthropic), every unchecked request costs you money.

That Replit user's $607.70 bill happened because there was no bouncer at all. The door was wide open.

EXPLAINER DIAGRAM: A split-screen comparison diagram. LEFT side labeled WITHOUT RATE LIMITING shows a server icon in the center being hit by dozens of arrow lines from multiple sources labeled NORMAL USERS, BOTS, and SCRAPERS all flooding in simultaneously. Below the server, a billing meter icon shows a dollar amount rapidly climbing with the text COSTS SPIRAL with a real stat callout showing $607.70 IN DAYS. The server has a red warning indicator labeled OVERWHELMED. RIGHT side labeled WITH RATE LIMITING shows the same server but with a bouncer figure standing in front. The bouncer has a clipboard showing MAX 100 REQUESTS PER MINUTE PER USER. Normal user arrows pass through at a controlled rate. Bot and scraper arrows are blocked with red X marks. The server has a green indicator labeled HEALTHY. Below the server, the billing meter shows a stable, low dollar amount labeled COSTS CONTROLLED.
Without rate limiting, your app has no defense against runaway costs or traffic spikes. With it, every user gets fair access and your bill stays predictable.

How Rate Limiting Actually Works

The bouncer needs a system. He cannot just remember every face and count re-entries in his head. In practice, rate limiting uses a few well-defined strategies.

The simplest is a fixed window. The bouncer resets his count every hour on the hour. You get 100 entries per hour. At 2:00 PM the count resets to zero. Easy to implement, but with an edge case: 99 entries at 1:59 PM and 100 more at 2:01 PM means 199 entries in two minutes because the window reset fell in between.

A sliding window fixes this by counting the last 60 minutes from right now, not from the top of the hour. More accurate, slightly more complex.

The most elegant approach is the token bucket. The bouncer gives you a bucket with 10 tokens. Every entry costs one token. Tokens refill at a steady rate, one every six seconds. This allows short bursts while enforcing a steady average rate over time.

When you see an API respond with "429 Too Many Requests," that is the bouncer turning you away.

The Different Doors That Need Bouncers

Your app does not have just one entrance. It has multiple doors, and each one needs its own bouncer with different rules.

API endpoints are the most obvious. Every route should have rate limits. A common setup is 100 requests per minute per user for general endpoints, and stricter limits (maybe 10 per minute) for expensive operations like AI generation or file uploads.

Authentication endpoints need especially strict limits. Login pages are prime targets for brute-force attacks. Five attempts per minute per IP address is a common configuration.

Outbound API calls are where the cost story gets critical. When your app calls OpenAI, Anthropic, or any paid API, you need rate limiting on your side, not just theirs. The AI provider's limits protect their infrastructure, not your wallet. If you let users trigger unlimited AI calls, you are handing them a direct line to your credit card.

Key Takeaway

Rate limiting is not just about protecting your server. It is about protecting your wallet. Every unguarded API call to a paid service is an open line of credit to whoever finds your endpoint. The bouncer is not optional; he is your financial firewall.

You Might Think AI Tools Handle This

You might think that AI coding tools would add rate limiting automatically, since it is such a fundamental protection. But actually, AI tools almost never add it unless you explicitly ask.

AI tools build what you request. "Build me an endpoint that generates images using the OpenAI API" produces an endpoint that works, handles errors, and validates input. It does everything a good endpoint should, except limit how often it can be called.

The problem surfaces at 3 AM when a bot discovers your endpoint and makes 10,000 requests in an hour.

The fix is straightforward. After your AI builds an API route, add one follow-up: "Add rate limiting, 60 requests per minute per user, with a 429 response when exceeded." AI tools implement this correctly when asked. They just never volunteer it.

Implementing the Bouncer

Rate limiting lives in your middleware layer, the code that runs before every request reaches your endpoint. Think of it as the bouncer checking everyone before they reach the dance floor.

The key decisions are how you identify visitors (by IP address, API key, or user ID), what the limits should be, and what happens when exceeded. The standard response is HTTP 429 (Too Many Requests) with a Retry-After header.

Building an App with API Calls?

Rate limiting is essential protection, but it is just one piece of building resilient apps. Learn the fundamentals.

Explore more

For apps calling expensive external APIs, you also want a global rate limit on outbound calls. Even if individual users are within limits, total volume might exceed your budget. Set a global ceiling and queue requests when it is hit.

VIP Access and Tiered Limits

Not every visitor gets the same treatment. The bouncer might let VIP guests enter more frequently. Rate limiting works the same way.

Most production APIs use tiered limits. Free users get 100 requests per hour. Paid users get 1,000. Enterprise customers get 10,000. The bouncer checks your membership level before applying the rules.

This is also how you monetize API access. Stripe, Twilio, and every major API company uses tiered rate limits as a core part of their pricing. The technology that protects your app becomes the mechanism that drives revenue.

EXPLAINER DIAGRAM: A horizontal flow diagram showing a request passing through rate limiting middleware. On the far left, three different user icons are stacked vertically, labeled FREE USER (with a tag showing 100 per hour), PAID USER (with a tag showing 1000 per hour), and ENTERPRISE USER (with a tag showing 10000 per hour). Each user has an arrow pointing right toward a central box labeled RATE LIMIT MIDDLEWARE with a bouncer icon. Inside the middleware box, a flowchart shows CHECK USER TIER leading to CHECK REQUEST COUNT leading to a diamond decision node labeled UNDER LIMIT with YES going right to a green box labeled ALLOW and a 200 OK status, and NO going down to a red box labeled REJECT with a 429 TOO MANY REQUESTS status and a RETRY-AFTER HEADER note. The ALLOW arrow continues right to a final box labeled YOUR API ENDPOINT.
Rate limiting middleware checks every request against the user's tier before it reaches your endpoint. Different users can have different limits based on their plan.

The Cost Spiral That Rate Limiting Prevents

Let us come back to that $607.70 story. The math is brutal.

If an AI API call costs $0.01 and your endpoint gets hit 1,000 times per hour by bots or runaway loops, that is $10 per hour. Manageable. But AI can accidentally trigger infinite API calls. A poorly written retry loop, a webhook that calls itself, or a user automating requests can push that to 10,000 calls per hour. Now it is $100 per hour, $2,400 per day, $72,000 per month.

Rate limiting caps the damage. Set a limit of 60 requests per minute per user, and the worst case is bounded. One abusive user can cost you at most $0.60 per minute, and you can detect and block them long before the bill gets serious.

Common Mistake

Relying on the API provider's rate limits to protect your costs. OpenAI, Anthropic, and other AI services have rate limits, but those protect their infrastructure, not your budget. Their limits might allow thousands of requests per minute, far more than you can afford. You need your own rate limits, tuned to your own financial constraints, sitting between your users and any paid API call.

Rate limiting also caps infrastructure costs. With auto-scaling enabled (the default on most cloud platforms), a traffic spike means your compute bill scales up automatically. Rate limiting puts a ceiling on that.

Testing Your Bouncer

Write a script that sends 150 requests in rapid succession. Verify that the first 100 succeed and the last 50 get rejected with 429 status. If all 150 succeed, your bouncer is asleep.

Also test the user experience when limits are hit. A bare 429 is confusing. A friendly message like "You are making requests too quickly, please wait 30 seconds" is much better.

What This Means For You

Rate limiting is the bouncer for your app. It controls how often each user, bot, or script can make requests, protecting your server, your wallet, and your users.

  • If you are a founder building a product: Add rate limiting before you launch, especially on endpoints that call paid APIs. The $607.70 nightmare is entirely preventable with a few lines of middleware. Ask your AI tool to add rate limiting to every API route, and set a global budget ceiling on outbound calls. This is financial protection, not a nice-to-have.
  • If you are a senior dev evaluating AI-generated code: Check every API route for rate limiting. AI tools never add it proactively. Audit outbound API calls especially carefully, since a missing rate limit on an AI endpoint is an unbounded cost liability.
  • If you are a student learning how apps work: Build a simple API with rate limiting from scratch. Use a token bucket implementation, hit the endpoint in a loop, and watch the 429 responses kick in. Understanding this early will save you from real financial pain when you build apps that call paid services.
Ready to Build Resilient Apps?

Rate limiting is one essential protection. Learn the full set of fundamentals that keep your apps safe and your costs predictable.

Keep learning
PJ
Pranay Joshi

20+ years building products at scale. VP of Product & Engineering, startup founder, and AI coach. Helping dreamers turn ideas into reality with vibe coding.

The Tuesday Shipping Report

Every Tuesday, one focused email:

  • - The tool or technique that's actually working right now
  • - A real problem from the community (and how to solve it)
  • - What changed this week in the vibe coding landscape

Read by 1,000+ founders, developers, and creators building with AI. Free forever. No spam.