Building Distributed Rate Limiters
How to build distributed rate limiters with Redis Lua scripts. Race conditions, consistency models, and production patterns.
Architecture Guide: Distributed Rate Limiting
Building a rate limiter that runs across horizontally scaled application servers requires a centralized, high-performance caching layer to maintain consistent client states.
1. The Shared State Problem
If you deploy 10 servers behind a load balancer and run in-memory rate limiters:
- Each server maintains independent client counters.
- Clients can bypass limits by routing requests to different servers.
- To prevent this, you must store rate limit counters in a centralized cache database like Redis.
2. Preventing Race Conditions with Lua
If multiple servers read and update a client's counter in Redis simultaneously:
- A race condition occurs: both servers read the counter as under the limit, increment it, and allow both requests, violating the rate policy.
- The Solution: Execute your rate limiting logic atomically using Redis Lua scripts. Because Redis executes scripts in a single thread, commands are executed sequentially without race conditions.
3. Fail-Open vs Fail-Closed Design
- Fail-Open: If the Redis cache is unreachable, the limiter logs the error and allows the request to pass. This prioritizes user experience but exposes your servers to traffic surges.
- Fail-Closed: If the cache is down, all requests are rejected. This protects your database but compromises API availability during cache outages.
Next Steps
Ready to protect your API with production-grade rate limiting? Here is the recommended path for Building Distributed Rate Limiters:
- Create a free account at [limityourapi.tech/login](/login) — no credit card required for the Hobby tier
- Generate an API key in the dashboard under API Keys
- Install the SDK: Run
npm install limityourapiand follow the [Node.js](/sdk/nodejs) guide - Follow the quick start guide at [/quickstart](/quickstart) for a 2-minute integration
- Configure rules in the dashboard for your highest-risk endpoints first
- Monitor analytics to tune limits based on real traffic patterns
Questions? Read the [documentation](/docs) or explore the [rate limiting education hub](/learn) for deep technical guides on algorithms, architecture, and production patterns.
Frequently Asked Questions
How do I avoid Redis becoming a bottleneck?
Use connection pooling, keep Lua scripts lightweight, run Redis on dedicated memory instances, and configure fail-open defaults to bypass Redis during outages.
What is API rate limiting?
API rate limiting controls how many requests a client can make in a given time window. It protects backends from abuse, ensures fair usage across tenants, and prevents cost overruns from traffic spikes or malicious bots.
Why use Redis for rate limiting?
Redis provides sub-millisecond latency, atomic operations via Lua scripts, and horizontal scalability. Centralized state ensures consistent limits across distributed application servers.
How fast is LimitYourAPI?
LimitYourAPI delivers rate limit decisions in under 15ms globally using atomic Redis Lua scripts. This is fast enough for inline middleware without adding perceptible latency to API responses.
Does LimitYourAPI support token bucket and sliding window?
Yes. LimitYourAPI supports token bucket, sliding window, fixed window, and cost-aware algorithms. You can configure per-route strategies without changing infrastructure.