Skip to content
Dashboard

Rate limiting strategies for APIs: when each algorithm fits

Copy link to headingKey takeaways

Copy link to headingThe boundary burst fixed window ignores

Copy link to headingWhere it breaks: the boundary

Copy link to headingWhere it fits on Vercel

Copy link to headingSliding window trades memory for accuracy

Copy link to headingSliding window log: exact, but it grows

Copy link to headingSliding window counter: fixed memory, accurate enough

Copy link to headingToken bucket is the default for developer-facing APIs

Copy link to headingWhy bursts are a feature, not a bug

Copy link to headingWhere it fits on Vercel

const ratelimit = new Ratelimit({
redis: redis,
limiter: Ratelimit.tokenBucket(5, "10 s", 10),
});

Copy link to headingLeaky bucket shapes outbound traffic

Copy link to headingWhy stateless edge runtimes break every counter you trust

Copy link to headingRead latency makes it look like the perfect counter store

Copy link to headingSplit the two jobs

Copy link to headingAlgorithm selection, by traffic pattern

Copy link to headingRate limiting contains noisy tenants but cannot stop bots

const { rateLimited } = await checkRateLimit('update-object', {
request,
rateLimitKey: auth.orgId,
});

Copy link to headingThe problem no counter can solve

Copy link to headingHow to choose between WAF rules and Routing Middleware

Copy link to headingFAQ

Copy link to headingWhy do my Vercel rate limits sometimes allow more than the configured limit?

Copy link to headingCan I use a token bucket on the Pro plan?

Copy link to headingShould I use Edge Config to store rate-limit counters?

Copy link to headingWill rate limiting protect my API from bots?

Ready to deploy?