Dallonses logo

Rate limiting

What is rate limiting?

Rate limiting controls how many requests a client can make to a service in a given window of time. Hit the cap and the server responds with a 429 status, usually with a header telling you when you can try again. It is the mechanism that keeps one client, malicious or just badly behaved, from swamping a system that everyone else depends on.

The reasons run from security to fairness to cost. It blunts brute-force login attempts and denial-of-service traffic. It stops a single integration from monopolizing shared capacity. It keeps usage-based bills predictable. A public API that lets each key make a thousand calls an hour is using rate limiting to protect both its infrastructure and its other customers. Common approaches include the token bucket, which allows short bursts above the steady rate, and the sliding window, which smooths the count over time. Limits are typically keyed by API key, user, or IP address.

Good rate limiting is also a contract. The response tells the client its limit, how much it has left, and when the window resets, so a well-built consumer can back off and retry instead of hammering a wall. The art is setting limits high enough that legitimate use never notices and low enough that abuse gets stopped before it costs anyone.

Rate limiting at Dallonses

We build rate limiting into APIs from the start, not after an incident forces it. On a project exposing data to third-party partners, we set tiered limits per key, returned clear headers so partners could throttle themselves cleanly, and kept the rules in one place so they were easy to tune as real usage patterns showed up. No partner got surprised, and no single client could take the platform down.

For the custom web application work we do, rate limiting is one layer in a wider defence, sitting alongside auth, validation, and monitoring. We tune the thresholds against real traffic rather than guessing, and we make the failure behaviour predictable so clients integrating with the API know exactly what to expect. Protection that does its job without getting in the way of the people who are using the system properly.

Opening an API to the world and want it to stay standing? Let's set the limits right.

Talk to us about your API

Related services

Related works

Spring GDS 25th Anniversary

A logistics company that ships to 190 countries built something to ship to itself.

Vizitio

Turning a brand into a working business.

Access Ticket

Half a million people. One app. Zero chaos.

Ready to work together?

Book a meeting
Aymón holding a Tools magazine in front of their facem
Ari working on a laptop outdoors surrounded by plants
Top-down view of a wooden desk with a keyboard, mouse, and headphones
Hand-drawn illustration of a hand snapping fingers
Nico leaning against a water cooler next to a fire extinguishe
Close-up of an open computer with circuit board and components on a wooden desk
Bernat and Andreu collaborating at a desk with monitors and a laptop
Hand-drawn illustration of an open hand waving
Aymón holding a Tools magazine in front of their facem
Ari working on a laptop outdoors surrounded by plants
Top-down view of a wooden desk with a keyboard, mouse, and headphones
Hand-drawn illustration of a hand snapping fingers
Nico leaning against a water cooler next to a fire extinguishe
Close-up of an open computer with circuit board and components on a wooden desk
Bernat and Andreu collaborating at a desk with monitors and a laptop
Hand-drawn illustration of an open hand waving