Designing a Rate Limiter with Redis
Token bucket vs sliding window — implementing rate limits that actually work in production.
Jun 1, 2026 · 1 min read · Backend
Designing a Rate Limiter with Redis
Every public API needs rate limiting. Redis makes it cheap to implement at scale.
Fixed window
Simple counters per time bucket. Easy, but burst traffic at window edges can slip through.
Sliding window log
Store timestamps per request, trim old entries. Accurate, but memory-heavy at high QPS.
Token bucket (my default)
-- atomic decrement + refill in one round trip
local tokens = redis.call('GET', KEYS[1])
Refill tokens at a steady rate. Smooths bursts without punishing legitimate spikes.
Takeaway
Start with token bucket. Add per-route limits later. Log rejections — they're product signals.