← Back to Skills Marketplace
1738
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install api-rate-limiting
Description
Rate limiting algorithms, implementation strategies, HTTP conventions, tiered limits, distributed patterns, and client-side handling. Use when protecting APIs from abuse, implementing usage tiers, or configuring gateway-level throttling.
README (SKILL.md)
Rate Limiting Patterns
Algorithms
| Algorithm | Accuracy | Burst Handling | Best For |
|---|---|---|---|
| Token Bucket | High | Allows controlled bursts | API rate limiting, traffic shaping |
| Leaky Bucket | High | Smooths bursts entirely | Steady-rate processing, queues |
| Fixed Window | Low | Allows edge bursts (2x) | Simple use cases, prototyping |
| Sliding Window Log | Very High | Precise control | Strict compliance, billing-critical |
| Sliding Window Counter | High | Good approximation | Production APIs — best tradeoff |
Fixed window problem: A user sends the full limit at 11:59 and again at 12:01, doubling the effective rate. Sliding window fixes this.
Token Bucket
Bucket holds tokens up to capacity. Tokens refill at a fixed rate. Each request consumes one.
class TokenBucket:
def __init__(self, capacity: int, refill_rate: float):
self.capacity = capacity
self.tokens = capacity
self.refill_rate = refill_rate # tokens per second
self.last_refill = time.monotonic()
def allow(self) -> bool:
now = time.monotonic()
elapsed = now - self.last_refill
self.tokens = min(self.capacity, self.tokens + elapsed * self.refill_rate)
self.last_refill = now
if self.tokens >= 1:
self.tokens -= 1
return True
return False
Sliding Window Counter
Hybrid of fixed window and sliding window log — weights the previous window's count by overlap percentage:
def sliding_window_allow(key: str, limit: int, window_sec: int) -> bool:
now = time.time()
current_window = int(now // window_sec)
position_in_window = (now % window_sec) / window_sec
prev_count = get_count(key, current_window - 1)
curr_count = get_count(key, current_window)
estimated = prev_count * (1 - position_in_window) + curr_count
if estimated >= limit:
return False
increment_count(key, current_window)
return True
Implementation Options
| Approach | Scope | Best For |
|---|---|---|
| In-memory | Single server | Zero latency, no dependencies |
Redis (INCR + EXPIRE) |
Distributed | Multi-instance deployments |
| API Gateway | Edge | No code, built-in dashboards |
| Middleware | Per-service | Fine-grained per-user/endpoint control |
Use gateway-level limiting as outer defense + application-level for fine-grained control.
HTTP Headers
Always return rate limit info, even on successful requests:
RateLimit-Limit: 1000
RateLimit-Remaining: 742
RateLimit-Reset: 1625097600
Retry-After: 30
| Header | When to Include |
|---|---|
RateLimit-Limit |
Every response |
RateLimit-Remaining |
Every response |
RateLimit-Reset |
Every response |
Retry-After |
429 responses only |
429 Response Body
{
"error": {
"code": "rate_limit_exceeded",
"message": "Rate limit exceeded. Maximum 1000 requests per hour.",
"retry_after": 30,
"limit": 1000,
"reset_at": "2025-07-01T12:00:00Z"
}
}
Never return 500 or 503 for rate limiting — 429 is the correct status code.
Rate Limit Tiers
Apply limits at multiple granularities:
| Scope | Key | Example Limit | Purpose |
|---|---|---|---|
| Per-IP | Client IP | 100 req/min | Abuse prevention |
| Per-User | User ID | 1000 req/hr | Fair usage |
| Per-API-Key | API key | 5000 req/hr | Service-to-service |
| Per-Endpoint | Route + key | 60 req/min on /search |
Protect expensive ops |
Tiered pricing:
| Tier | Rate Limit | Burst | Cost |
|---|---|---|---|
| Free | 100 req/hr | 10 | $0 |
| Pro | 5,000 req/hr | 100 | $49/mo |
| Enterprise | 100,000 req/hr | 2,000 | Custom |
Evaluate from most specific to least specific: per-endpoint > per-user > per-IP.
Distributed Rate Limiting
Redis-based pattern for consistent limiting across instances:
def redis_rate_limit(redis, key: str, limit: int, window: int) -> bool:
pipe = redis.pipeline()
now = time.time()
window_key = f"rl:{key}:{int(now // window)}"
pipe.incr(window_key)
pipe.expire(window_key, window * 2)
results = pipe.execute()
return results[0] \x3C= limit
Atomic Lua script (prevents race conditions):
local key = KEYS[1]
local limit = tonumber(ARGV[1])
local window = tonumber(ARGV[2])
local current = redis.call('INCR', key)
if current == 1 then
redis.call('EXPIRE', key, window)
end
return current \x3C= limit and 1 or 0
Never do separate GET then SET — the gap allows overcount.
API Gateway Configuration
NGINX:
http {
limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s;
server {
location /api/ {
limit_req zone=api burst=20 nodelay;
limit_req_status 429;
}
}
}
Kong:
plugins:
- name: rate-limiting
config:
minute: 60
hour: 1000
policy: redis
redis_host: redis.internal
Client-Side Handling
Clients must handle 429 gracefully:
async function fetchWithRetry(url: string, maxRetries = 3): Promise\x3CResponse> {
for (let attempt = 0; attempt \x3C maxRetries; attempt++) {
const res = await fetch(url);
if (res.status !== 429) return res;
const retryAfter = res.headers.get('Retry-After');
const delay = retryAfter
? parseInt(retryAfter, 10) * 1000
: Math.min(1000 * 2 ** attempt, 30000);
await new Promise(r => setTimeout(r, delay));
}
throw new Error('Rate limit exceeded after retries');
}
- Always respect
Retry-Afterwhen present - Use exponential backoff with jitter when absent
- Implement request queuing for batch operations
Monitoring
Track these metrics:
- Rate limit hit rate — % of requests returning 429 (alert if >5% sustained)
- Near-limit warnings — requests where remaining \x3C 10% of limit
- Top offenders — keys/IPs hitting limits most frequently
- Limit headroom — how close normal traffic is to the ceiling
- False positives — legitimate users being rate limited
Anti-Patterns
| Anti-Pattern | Fix |
|---|---|
| Application-only limiting | Always combine with infrastructure-level limits |
| No retry guidance | Always include Retry-After header on 429 |
| Inconsistent limits | Same endpoint, same limits across services |
| No burst allowance | Allow controlled bursts for legitimate traffic |
| Silent dropping | Always return 429 so clients can distinguish from errors |
| Global single counter | Per-endpoint counters to protect expensive operations |
| Hard-coded limits | Use configuration, not code constants |
NEVER Do
- NEVER rate limit health check endpoints — monitoring systems will false-alarm
- NEVER use client-supplied identifiers as sole rate limit key — trivially spoofed
- NEVER return
200 OKwhen rate limiting — clients must know they were throttled - NEVER set limits without measuring actual traffic first — you'll block legitimate users or set limits too high to matter
- NEVER share counters across unrelated tenants — noisy neighbor problem
- NEVER skip rate limiting on internal APIs — misbehaving internal services can take down shared infrastructure
- NEVER implement rate limiting without logging — you need visibility to tune limits and detect abuse
Usage Guidance
This skill is an instruction-only reference about rate limiting and appears internally consistent. Before using: review any example install commands (the README's npx/copy examples) and avoid running unfamiliar scripts or downloads; if you adapt the snippets to production, ensure atomic operations for counters (use the shown Lua script or equivalent), secure your Redis/gateway endpoints, and validate header formats and limits against your privacy/security requirements.
Capability Analysis
Type: OpenClaw Skill
Name: api-rate-limiting
Version: 1.0.0
The skill bundle provides comprehensive documentation and code examples for implementing rate limiting patterns. All code snippets are illustrative and do not contain any malicious functions or system calls. The `SKILL.md` and `README.md` files are purely informational and educational, lacking any prompt injection attempts, instructions for data exfiltration, persistence, or other harmful behaviors. The installation instructions involve copying local files or using `npx add` from a public GitHub repository, which is the source of the skill itself, and does not introduce external malicious dependencies.
Capability Assessment
Purpose & Capability
Name/description match the content: SKILL.md contains algorithms, gateway examples (NGINX, Kong), Redis patterns, HTTP header guidance, client retry patterns and monitoring notes — all appropriate for a rate-limiting skill.
Instruction Scope
Runtime instructions and code snippets remain within the domain of rate limiting. The examples reference helper functions (get_count, increment_count) and Redis, which are reasonable placeholders; nothing in the instructions asks the agent to read unrelated files, exfiltrate secrets, or contact unexpected endpoints. The README includes example install copy commands (local paths) and an npx URL example (documentation only) but the skill itself is instruction-only.
Install Mechanism
No install spec or code files are present (instruction-only), so nothing is written to disk by the skill. The README documents manual copy commands and an 'npx add' example pointing at a GitHub tree; those are documentation instructions rather than an automated install spec. As always, verify any external install command before running it.
Credentials
The skill declares no required environment variables, credentials, or config paths. Example configs reference Redis hosts (e.g., redis.internal) which is appropriate for distributed rate limiting and consistent with the stated purpose.
Persistence & Privilege
Flags show default behavior (not always:true). There is no install, no persistent privileges requested, and the skill does not attempt to modify other skills or system settings.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install api-rate-limiting - After installation, invoke the skill by name or use
/api-rate-limiting - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
- Initial release featuring comprehensive documentation on rate limiting algorithms, implementation strategies, HTTP conventions, tiered limits, distributed patterns, and client-side handling.
- Provides practical code samples for Token Bucket, Sliding Window Counter, Redis-based distributed rate limiting (Python and Lua), and API gateway configuration (NGINX, Kong).
- Details recommended HTTP headers and response structures for communicating rate limits and 429 errors.
- Covers best practices, anti-patterns, and critical "never do" guidelines for robust API rate limiting.
- Includes monitoring recommendations and client retry logic examples.
Metadata
Frequently Asked Questions
What is API Rate Limiting?
Rate limiting algorithms, implementation strategies, HTTP conventions, tiered limits, distributed patterns, and client-side handling. Use when protecting APIs from abuse, implementing usage tiers, or configuring gateway-level throttling. It is an AI Agent Skill for Claude Code / OpenClaw, with 1738 downloads so far.
How do I install API Rate Limiting?
Run "/install api-rate-limiting" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is API Rate Limiting free?
Yes, API Rate Limiting is completely free (open-source). You can download, install and use it at no cost.
Which platforms does API Rate Limiting support?
API Rate Limiting is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created API Rate Limiting?
It is built and maintained by wpank (@wpank); the current version is v1.0.0.
More Skills