Rate Limiting Agent Skill
Token bucket, sliding window, per-user/IP limits, Redis-backed, Upstash patterns.
The Skill
Full content, every format. Copy it, download it, or install with one command.
---
description: Token bucket, sliding window, per-user/IP limits, Redis-backed, Upstash patterns.
homepage: https://yepapi.com/skills/rate-limiting
metadata:
tags: [rate-limit, redis, security, api]
---
# Rate Limiting
## Rules
- Use token bucket for API endpoints, sliding window for auth/login routes
- Identify callers by API key first, fall back to IP — never IP-only for authenticated routes
- Return `429 Too Many Requests` with `Retry-After` header (seconds) and `X-RateLimit-Remaining` header
- Store counters in Redis (or Upstash for serverless) — never in-memory for multi-instance deployments
- Set sensible defaults: 100 req/min for general API, 5 req/min for auth, 1000 req/min for reads
- Use `@upstash/ratelimit` for serverless — it handles Redis atomicity and sliding window natively
- Implement rate limiting as middleware — apply globally, override per-route with stricter limits
- For Next.js: rate limit in middleware.ts or API route handlers, not in React components
- Separate limits by tier: free, pro, enterprise — store tier in JWT or database lookup
- Log rate limit hits with caller identity — detect abuse patterns early
## Patterns
```ts
// Upstash serverless pattern
import { Ratelimit } from "@upstash/ratelimit";
import { Redis } from "@upstash/redis";
const ratelimit = new Ratelimit({
redis: Redis.fromEnv(),
limiter: Ratelimit.slidingWindow(10, "10 s"),
analytics: true,
});
const { success, limit, remaining, reset } = await ratelimit.limit(identifier);
```
## Avoid
- In-memory rate limiting in serverless or multi-instance setups — state is lost between invocations
- Rate limiting only at the application layer — add CDN/edge limits too (Cloudflare, Vercel)
- Blocking legitimate users with overly aggressive limits — start permissive, tighten based on data
- Forgetting to rate limit webhooks and public form submissionsInstall
Why Use the Rate Limiting Skill?
Without this skill, your AI guesses at rate limiting patterns. It might hallucinate deprecated APIs, use outdated conventions, or miss best practices entirely. With it, your AI follows a proven ruleset — every suggestion aligns with current standards.
Drop this skill into your project and your AI instantly knows the rules. Better code suggestions, fewer errors, faster shipping.
Try These Prompts
These prompts work better with the Rate Limiting skill installed. Your AI knows the context and writes code that fits.
"Implement token bucket rate limiting with Redis and per-user/IP tracking"
"Create a rate limiter middleware with sliding window algorithm and custom response headers"
"Set up Upstash-based rate limiting with different tiers for authenticated and anonymous users"
Rate Limiting skill — FAQ
It covers token bucket, sliding window, and per-user/IP limiting with Redis and Upstash. Your AI implements rate limiters that protect your API without blocking legitimate traffic.
Run `npx skills add YepAPI/skills --skill rate-limiting` in your project root. This copies the skill file into your repo where your AI coding tool can read it automatically.
The skill recommends sliding window for API endpoints and token bucket for WebSocket connections. Both are implemented with Redis for distributed deployments.