Wire and Logic
Hourly · Synthesized · Opinionated
engineeringSaturday, June 20, 2026·2 min read

Rate Limiting Algorithms: Token Bucket, Leaky Bucket, and Sliding Windows

Rate limiting algorithms like token bucket, leaky bucket, and sliding windows help prevent API abuse and ensure system stability.

File:Megalocystidium-Minimum Evolution-Tree.svg
Photo: Thkgk

Rate limiting is a crucial mechanism to control the frequency of requests to an API or service, preventing abuse and ensuring system stability. It determines how systems allocate finite capacity across users, services, and regions. Choosing the right rate limiting algorithm is essential to prevent boundary exploits, uneven load, or distributed consistency failures.

What happened

The fixed window algorithm divides time into discrete intervals and tracks the number of requests within each interval. However, it allows boundary burst amplification, where a client can send a large number of requests at the boundary of two intervals. The token bucket algorithm generates tokens at a steady rate, which are required to process requests, allowing bursts of traffic while maintaining an overall rate limit. The leaky bucket algorithm is best for shaping outbound or downstream traffic.

The sliding window algorithm models recent history and is a practical compromise for scale. The sliding log algorithm is the most accurate but can become memory-intensive.

Why it matters

Rate limiting is essential to prevent abuse, ensure system stability, and maintain fair resource allocation among users. It helps mitigate risks such as denial-of-service attacks, brute-force attempts, and resource exhaustion. Proper rate limiting ensures that legitimate users are not rate-limited into unresponsiveness.

Pros and Cons

+ Pros
  • Prevents abuse and ensures system stability
  • Maintains fair resource allocation among users
  • Helps mitigate risks such as denial-of-service attacks and brute-force attempts
Cons
  • Can be complex to implement and manage
  • May require significant resources and infrastructure
  • Can be challenging to choose the right algorithm

How to think about it

When choosing a rate limiting algorithm, consider the specific requirements of your system, including the type of traffic, the level of burst tolerance, and the need for fairness and abuse resistance. A useful mental model is to consider token bucket as modeling capacity accumulation, sliding window as modeling recent history, and fixed window as modeling discrete accounting periods.

FAQ

What is rate limiting?+
Rate limiting is a defensive mechanism designed to control the frequency of requests a client can make to a server or API within a specified timeframe.
What is the token bucket algorithm?+
The token bucket algorithm generates tokens at a steady rate, which are required to process requests, allowing bursts of traffic while maintaining an overall rate limit.
What is the sliding window algorithm?+
The sliding window algorithm models recent history and is a practical compromise for scale, allowing for a more accurate and efficient way to limit requests.
Sources
  1. 01Rate limiting algorithms: token bucket, leaky bucket, and sliding windows
  2. 02Rate Limiting Algorithms: Token Bucket vs Sliding Window vs Fixed Window
  3. 03From Token Bucket to Sliding Window: Pick the Perfect Rate Limiting Algorithm - API7.ai
  4. 04Rate Limiting Algorithms - System Design - GeeksforGeeks
Keep reading
Get the weekly dispatch

The week’s highest-signal tech and AI stories, synthesized into a five-minute read. One email a week, no spam, unsubscribe anytime.