# Add Rate Limiting with Vercel

**Author:** Vercel

---

This guide is a comprehensive walkthrough to handle rate limiting using the Vercel [Web Application Firewall](https://vercel.com/docs/security/vercel-waf) (WAF). We will discuss the necessity of rate limiting, understanding Vercel and its features like Vercel WAF and review a [resource](#how-to-implement-rate-limiting) on implementing rate limiting with Vercel WAF.

## Why do you need rate limiting?

Rate limiting is a technique for controlling network traffic. It sets a limit on how many requests a client can make to a server in a specific period.

1. **Ensure uptime of your services:** Rate limiting protects your services from being overwhelmed by excessive requests. By controlling the number of requests, you can maintain the optimal performance of your service and ensure its availability.
   
2. **Control billing:** Rate limiting helps manage and control your billing costs by preventing unforeseen spikes in usage, particularly important when using services that charge by the request.
   
3. **Prevent malicious usage:** Rate limiting is essential when using AI providers and Large Language Models (LLMs). Rate limiting can protect your service from malicious usage or abuse, such as DDoS attacks.
   
4. **Add differentiation of product usage based on plan:** Rate limiting can be used to create usage tiers. For example, free users might be limited to a certain number of requests per day, while premium users might have a higher limit.
   

### Vercel WAF

[Vercel WAF](https://vercel.com/docs/security/vercel-waf) allows you to monitor and control the internet traffic to your site through IP blocking, custom rules and managed rulesets.

## How to Implement Rate Limiting

With Vercel WAF, you can configure specific rules to log, deny, challenge, bypass, or rate limit traffic to your site. When you apply the configuration, it takes effect immediately and does not require re-deployment.

1. Add a rate limiting custom rule to your Vercel project with the [Rate Limit API Requests Firewall Rule](https://vercel.com/templates/other/rate-limit-api-requests-firewall-rule) template or the [Get Started](https://vercel.com/docs/security/vercel-waf/rate-limiting#get-started) documentation
   
2. In the Configure section, set an **If** condition with the following values for the 3 drop-down fields: **Request Path, Equals** and the value of the request path that you would like to rate limit such as `api/rate-limit-endpoint`
   
3. Set the **Then** action to Rate Limit and follow the remaining steps from the [Get started](https://vercel.com/docs/security/vercel-waf/rate-limiting#get-started) documentation
   

### Rate limit in code with `@vercel/firewall`

Use the `@vercel/firewall` package if you need rate limiting:

- Based on application-level conditions, such as a user ID, organization, or custom header that not available in the dashboard
  
- Based on requests in your backend
  

First, create a WAF rule in the Vercel dashboard with `@vercel/firewall` as the condition and a rate limit ID.

Then use that ID in your code:

`import { checkRateLimit } from '@vercel/firewall'; export async function POST(request: Request) { const { rateLimited } = await checkRateLimit('your_rate_limit_id', { request }); if (rateLimited) { return new Response(JSON.stringify({ error: 'Rate limit exceeded' }), { status: 429, headers: { 'Content-Type': 'application/json' }, }); } // Continue with request handling }`

See the [Rate Limiting SDK documentation](https://vercel.com/docs/vercel-firewall/vercel-waf/rate-limiting-sdk) for full setup instructions.

---

[View full KB sitemap](/kb/sitemap.md)
