Rate Limiting Java REST APIs

Token bucket, sliding window, and gateway-side strategies for protecting Java APIs.

February 15, 2025 · 3111 views

Approaches

Token bucket for burst+steady control; sliding window for fairness.
Enforce at edge (gateway/ingress) plus app-level for per-tenant safety.

Spring implementation

Use filters/interceptors with Redis/Lua for atomic buckets.
Key by tenant/user/IP; return 429 with Retry-After.
Expose metrics per key and rule; alert on near-capacity.

Considerations

Separate auth failures from rate limits; avoid blocking login endpoints too aggressively.
Keep rule configs dynamic; hot-reload from config store.
Combine with circuit breakers/timeouts for upstream dependencies.

Checklist

Edge and app-level limits defined.
Redis-based atomic counters/buckets with TTL.
Metrics + logs for limit decisions; alerts in place.