The subtle art of API Rate Limiting
Vložit
- čas přidán 23. 07. 2024
- Based on our blog post of the same title (zuplo.com/blog/2023/05/02/sub...) this is Zuplo's hot take on what really matters when it comes to protecting your API with rate-limiting. You'll find no discussion of algorithms like token bucket vs sliding window here - instead, we get into the real nitty-gritty of what is really important for your API's protection and customer experience. What did we miss?
=== Chapters ===
00:00 Intro
00:30 Background
02:24 The three pillars of an API program
03:44 1/ Canonical Rate-Limiting Implementation
06:20 2/ Public or private quotas / thresholds
08:33 3/ How should rate limits be applied?
14:30 4/ Rate limiting and distributed systems
19:40 5/ Rate limiting latency
20:50 6/ Latency/Accuracy tradeoff
23:47 7/ Observability
25:50 8/ How do I know what rate limits to set?
27:45 Conclusion
=== Links ===
Open Source Rate Limiter examples:
* flask-limiter.readthedocs.io/...
* www.npmjs.com/package/express...
* github.com/mailgun/gubernator
API Keys Best Practices
* Video: • API Key Authentication...
* Article: zuplo.com/blog/2022/12/01/api...
Other useful resources for API developers
* zuplo.com/blog/2023/04/24/use... - Věda a technologie
This is such a great explainer on the current approaches and what a dev should think about when implementing rate limiting. Thanks for making this!
Thanks - glad you found it valuable!
Just got into backend development and I must say after watching like 10 videos on just rate limiting algorithms this is probably the most realistic and helpful resource I found.
\o/
Excellent video!
Thanks Logan!
Just watched - very good content and I'll save your blog post. I'm getting ready to advise a client on Edge API - worth it or not?
We feel strongly about it - czcams.com/video/ShNxubyucS0/video.html
A question: how do you call outgoing rate limiting? I mean, my code is communicating with an external API that enforces some limits, and I need to make sure not to obuse it (otherwise they might block my IP). I am looking for some patterns on how to do it properly, but if I google "rate limiting", I always land on "how to protect your app from incoming request" 😅
You would want to search for “debouncing and throttling” instead.
@@Zuplo denouncing and throttling, as I understand it, would drop excessive requests. I need something to delay (but still execute) them just the necessary amount of time to meet the limits. Furthermore, its separate php-fpm processes that should share the same "bucket"..