[{"data":1,"prerenderedAt":458},["ShallowReactive",2],{"blog-prompts/rate-limit-api":3},{"id":4,"title":5,"body":6,"category":437,"date":438,"dateModified":439,"description":440,"draft":441,"extension":442,"faq":443,"featured":441,"headerVariant":444,"image":443,"keywords":443,"meta":445,"navigation":446,"ogDescription":447,"ogTitle":443,"path":448,"readTime":443,"schemaOrg":449,"schemaType":450,"seo":451,"sitemap":452,"stem":453,"tags":454,"twitterCard":456,"__hash__":457},"blog/blog/prompts/rate-limit-api.md","Add Rate Limiting to API with AI Prompts",{"type":7,"value":8,"toc":424},"minimark",[9,16,21,24,88,92,97,100,139,143,146,196,200,203,256,259,305,315,319,322,362,371,393,412],[10,11,12],"tldr",{},[13,14,15],"p",{},"These prompts help you implement rate limiting to prevent API abuse. They cover token bucket and sliding window algorithms, per-user and global limits, and proper response headers. Rate limiting protects against DDoS, prevents abuse, and ensures fair usage.",[17,18,20],"h2",{"id":19},"basic-rate-limiting","Basic Rate Limiting",[13,22,23],{},"Use this prompt to generate a complete rate limiting middleware with per-IP and per-user limits. Your AI will create reusable middleware, Redis or in-memory storage setup, proper 429 responses, and standard rate limit headers (X-RateLimit-Limit, Remaining, Reset).",[25,26,28,31,34,53,56,68,71,85],"prompt-box",{"title":27},"Basic Rate Limiting Setup",[13,29,30],{},"Add rate limiting to my API endpoints.",[13,32,33],{},"Requirements:",[35,36,37,41,44,47,50],"ol",{},[38,39,40],"li",{},"Limit requests per IP address (for unauthenticated requests)",[38,42,43],{},"Limit requests per user/API key (for authenticated requests)",[38,45,46],{},"Return proper 429 status when limit exceeded",[38,48,49],{},"Include rate limit headers in responses",[38,51,52],{},"Store rate limit state (Redis or in-memory)",[13,54,55],{},"Default limits:",[57,58,59,62,65],"ul",{},[38,60,61],{},"Unauthenticated: 60 requests per minute",[38,63,64],{},"Authenticated: 1000 requests per minute",[38,66,67],{},"Specific endpoints may have custom limits",[13,69,70],{},"Response headers to include:",[57,72,73,76,79,82],{},[38,74,75],{},"X-RateLimit-Limit: total allowed",[38,77,78],{},"X-RateLimit-Remaining: remaining requests",[38,80,81],{},"X-RateLimit-Reset: when limit resets (Unix timestamp)",[38,83,84],{},"Retry-After: seconds to wait (when limited)",[13,86,87],{},"Create reusable middleware that can be configured per route.",[17,89,91],{"id":90},"framework-specific-implementation","Framework-Specific Implementation",[93,94,96],"h3",{"id":95},"nextjs-rate-limiting","Next.js Rate Limiting",[13,98,99],{},"Copy this prompt to generate rate limiting utilities for both Next.js App Router and Pages Router. You'll get a higher-order function wrapper, Upstash Redis or in-memory storage, and edge-compatible helpers that handle serverless cold starts.",[25,101,102,105,108,125,128,136],{"title":96},[13,103,104],{},"Add rate limiting to my Next.js API routes.",[13,106,107],{},"For both App Router and Pages Router:",[35,109,110,113,116,119,122],{},[38,111,112],{},"Create a rate limiting utility using Upstash Redis or in-memory",[38,114,115],{},"Support edge runtime (for middleware) and Node runtime",[38,117,118],{},"Create higher-order function for Pages Router",[38,120,121],{},"Create helper for App Router route handlers",[38,123,124],{},"Support Vercel's x-real-ip header for IP detection",[13,126,127],{},"Usage should be simple:",[57,129,130,133],{},[38,131,132],{},"Pages Router: export default withRateLimit(handler, { limit: 10 })",[38,134,135],{},"App Router: await rateLimit(request, { limit: 10 })",[13,137,138],{},"Handle serverless cold starts (in-memory won't persist between invocations).",[93,140,142],{"id":141},"expressjs-rate-limiting","Express.js Rate Limiting",[13,144,145],{},"Use this prompt to set up Express rate limiting with Redis-backed storage, IP whitelisting, and tiered limits by user plan. Your AI will configure global limits, stricter auth endpoint limits, and separate dev/production settings.",[25,147,149,152,155,163,165,182,185,193],{"title":148},"Express Rate Limiting",[13,150,151],{},"Add rate limiting to my Express.js API.",[13,153,154],{},"Options:",[35,156,157,160],{},[38,158,159],{},"Use express-rate-limit with Redis store",[38,161,162],{},"Implement custom rate limiter with sliding window",[13,164,33],{},[57,166,167,170,173,176,179],{},[38,168,169],{},"Global rate limit for all routes",[38,171,172],{},"Stricter limits for auth endpoints (login, register)",[38,174,175],{},"Skip rate limiting for health checks",[38,177,178],{},"Whitelist certain IPs (internal services)",[38,180,181],{},"Different limits by user tier (free vs paid)",[13,183,184],{},"Configuration:",[57,186,187,190],{},[38,188,189],{},"Development: relaxed limits for testing",[38,191,192],{},"Production: strict limits",[13,194,195],{},"Also add request throttling for expensive operations.",[17,197,199],{"id":198},"advanced-rate-limiting","Advanced Rate Limiting",[13,201,202],{},"This prompt asks your AI to build subscription-aware rate limiting with Free, Pro, and Enterprise tiers. You'll get tier lookup logic, burst allowance handling, usage tracking for billing, and per-endpoint limit configuration.",[25,204,206,209,212,223,225,242,245],{"title":205},"Tiered Rate Limits",[13,207,208],{},"Implement tiered rate limiting based on user subscription.",[13,210,211],{},"Tiers:",[57,213,214,217,220],{},[38,215,216],{},"Free: 100 requests/hour",[38,218,219],{},"Pro: 1000 requests/hour",[38,221,222],{},"Enterprise: 10000 requests/hour",[13,224,33],{},[35,226,227,230,233,236,239],{},[38,228,229],{},"Look up user tier from database/cache",[38,231,232],{},"Apply appropriate limit based on tier",[38,234,235],{},"Return tier info in response headers",[38,237,238],{},"Track usage for billing/analytics",[38,240,241],{},"Grace period for temporary overages",[13,243,244],{},"Also implement:",[57,246,247,250,253],{},[38,248,249],{},"Burst allowance (temporary spike above limit)",[38,251,252],{},"Separate limits for different endpoint types",[38,254,255],{},"Usage dashboard data collection",[13,257,258],{},"Copy this prompt to configure per-endpoint rate limits based on operation type (auth, read, write, search). Your AI will generate a configurable decorator or middleware with violation logging and abuse alerting.",[25,260,262,265,268,285,288],{"title":261},"Endpoint-Specific Limits",[13,263,264],{},"Add different rate limits for different types of endpoints.",[13,266,267],{},"Categories:",[35,269,270,273,276,279,282],{},[38,271,272],{},"Auth endpoints (login, register): Very strict (5/minute per IP)",[38,274,275],{},"Read endpoints: Moderate (100/minute)",[38,277,278],{},"Write endpoints: Stricter (30/minute)",[38,280,281],{},"Search/expensive: Very strict (10/minute)",[38,283,284],{},"Public/cached: Lenient (1000/minute)",[13,286,287],{},"Implement:",[57,289,290,293,296,299,302],{},[38,291,292],{},"Rate limit decorator/middleware that accepts config",[38,294,295],{},"Configuration file for all endpoints",[38,297,298],{},"Easy override for specific routes",[38,300,301],{},"Logging of rate limit violations",[38,303,304],{},"Alerting for sustained abuse",[306,307,308],"warning-box",{},[13,309,310,314],{},[311,312,313],"strong",{},"Don't forget distributed systems:"," If you have multiple server instances, use Redis or another shared store for rate limit state. In-memory rate limiting won't work correctly when requests hit different servers.",[17,316,318],{"id":317},"handling-rate-limits","Handling Rate Limits",[13,320,321],{},"Use this prompt to improve how your API communicates rate limits to clients. You'll get a standardized 429 error response format with Retry-After headers, plus client-side code examples demonstrating exponential backoff.",[25,323,325,328,331,345,348,359],{"title":324},"Rate Limit Response Handling",[13,326,327],{},"Improve how my API handles and communicates rate limits.",[13,329,330],{},"Server-side:",[35,332,333,336,339,342],{},[38,334,335],{},"Return 429 status code when limited",[38,337,338],{},"Include helpful error message with limit details",[38,340,341],{},"Add Retry-After header with wait time",[38,343,344],{},"Log rate limit events for monitoring",[13,346,347],{},"Client-side guidance:",[35,349,350,353,356],{},[38,351,352],{},"Explain exponential backoff strategy",[38,354,355],{},"Document rate limit headers",[38,357,358],{},"Provide code examples for handling 429",[13,360,361],{},"Response format:\n{\n\"error\": \"rate_limit_exceeded\",\n\"message\": \"Too many requests. Please wait 30 seconds.\",\n\"retryAfter\": 30,\n\"limit\": 100,\n\"remaining\": 0,\n\"reset\": 1706745600\n}",[363,364,365],"tip-box",{},[13,366,367,370],{},[311,368,369],{},"Pro tip:"," Consider using a sliding window algorithm instead of fixed windows. Fixed windows can allow burst traffic right before and after the window resets. Sliding windows provide smoother rate limiting.",[372,373,374,381,387],"faq-section",{},[375,376,378],"faq-item",{"question":377},"What rate limits should I start with?",[13,379,380],{},"Start conservative and increase based on legitimate usage. A good starting point is 60/minute for unauthenticated and 1000/minute for authenticated users. Monitor and adjust based on actual usage patterns.",[375,382,384],{"question":383},"Should I rate limit by IP or by user?",[13,385,386],{},"Both. Use IP limiting for unauthenticated requests and user/API key limiting for authenticated requests. This protects against both anonymous abuse and authenticated abuse.",[375,388,390],{"question":389},"What's the difference between rate limiting and throttling?",[13,391,392],{},"Rate limiting rejects requests over the limit with 429. Throttling slows down requests (adds delay) instead of rejecting. Rate limiting is more common for APIs, throttling for preventing system overload.",[394,395,396,402,407],"related-articles",{},[397,398],"related-card",{"description":399,"href":400,"title":401},"Full API security","/blog/prompts/secure-api-endpoints","Secure API Endpoints",[397,403],{"description":404,"href":405,"title":406},"Protect your endpoints","/blog/prompts/add-api-authentication","Add API Authentication",[397,408],{"description":409,"href":410,"title":411},"Validate API keys properly","/blog/prompts/api-key-validation","API Key Validation",[413,414,417,421],"cta-box",{"href":415,"label":416},"/","Start Free Scan",[17,418,420],{"id":419},"test-your-rate-limiting","Test Your Rate Limiting",[13,422,423],{},"Check if your API has proper rate limiting and abuse protection.",{"title":425,"searchDepth":426,"depth":426,"links":427},"",2,[428,429,434,435,436],{"id":19,"depth":426,"text":20},{"id":90,"depth":426,"text":91,"children":430},[431,433],{"id":95,"depth":432,"text":96},3,{"id":141,"depth":432,"text":142},{"id":198,"depth":426,"text":199},{"id":317,"depth":426,"text":318},{"id":419,"depth":426,"text":420},"prompts","2026-02-23","2026-03-06","AI prompts to add rate limiting to your API. Prevent abuse, protect against DDoS, and ensure fair usage with proper rate limiting implementation.",false,"md",null,"cyan",{},true,"AI prompts to add rate limiting to your API and prevent abuse.","/blog/prompts/rate-limit-api","[object Object]","BlogPosting",{"title":5,"description":440},{"loc":448},"blog/prompts/rate-limit-api",[455],"API Protection","summary_large_image","hysrLFXvALiueUKq_oSOKS4L6fQut6JVMRF2YlFlQPY",1775843938428]