Introduction to Arcjet Rate Limiting
Arcjet rate limiting lets you control how many requests a client can make to your application or API over a given period of time.
What is Arcjet?
Arcjet is the runtime policy engine for AI features. Authorize tools, control budgets, and protect against spam and bots. A developer-first approach to securing AI applications.Rate limiting is the foundation of AI Budget Control - enforcing per-user token quotas and preventing cost explosions in AI applications. Token bucket rate limiting maps directly onto AI token consumption: deduct the estimated token cost of each request and deny when the budget is exhausted. Combined with bot protection, rate limiting gives you complete control over AI application access and spend.
Application-level rate limiting is also useful to protect your server from overload, prevent abuse of APIs, and make brute-force login attacks expensive and impractical.
Other platforms also provide rate limiting, usually at the CDN or network layer. Arcjet rate limiting is different because you configure limits inside your application code. This gives you full, dynamic control over what to allow or block, where, and when. You can use different strategies per route, per endpoint, or based on user subscription level.
You do not need any extra infrastructure (such as Redis) to keep track of state. Arcjet handles rate limit tracking for you.
When to use Arcjet rate limiting
Section titled “When to use Arcjet rate limiting”Use Arcjet rate limiting to protect your application and APIs from abuse and excessive traffic. For example:
-
Control AI token spend Limit how many tokens a user can consume per hour (for example, 5,000 tokens/hour) using a token bucket that maps to your AI provider’s billing model. Prevents cost attacks and enforces per-user AI usage budgets.
-
Protect login and authentication flows Limit how often a user can attempt to log in (for example, 5 attempts in 5 minutes) to slow down attackers trying many username/password combinations.
-
Throttle API clients Limit how many requests a client can make to an API (for example, 100 requests per minute) to prevent a single client from overloading your API or impacting other users.
-
Enforce quotas and usage tiers Implement per-plan quotas (for example, free tier clients can make 1,000 requests per day, paid tiers get higher limits) and enforce them directly in your application code.
Rate limiting is complementary to Arcjet Shield WAF. Shield analyzes what kind of requests are made over time and blocks clients that show repeated suspicious behavior, while rate limiting focuses on controlling request volume and frequency.
How Arcjet rate limiting works
Section titled “How Arcjet rate limiting works”Arcjet rate limiting keeps track of how many requests a client makes and compares this to the limits you configure. When a client exceeds a configured limit, Arcjet marks the request as over limit so your application can block, delay, or otherwise handle it. The client is allowed again once the rate limit condition is reset.
Tracking happens in the Arcjet Cloud API and does not require any additional infrastructure such as Redis. State is maintained for you, even across multiple instances of your application.
Rate limit algorithms
Section titled “Rate limit algorithms”Arcjet supports several rate limiting algorithms so you can choose the behavior that best fits your use case:
-
Fixed window Counts requests in discrete time windows (for example, 100 requests per minute, reset every minute).
-
Sliding window Uses a moving time window to smooth out bursts and avoid sharp reset boundaries.
-
Token bucket Allows short bursts while enforcing an average rate over time, by consuming and replenishing tokens.
You can choose different algorithms for different endpoints, clients, or subscription tiers.
Fingerprints and identifying clients
Section titled “Fingerprints and identifying clients”Clients are tracked by configurable fingerprints that include IP addresses by default. This means clients using the same IP address are counted and limited together.
To ensure rate limits are applied correctly, choose fingerprint characteristics that align with your concept of a “user”. For example:
- IP address only (per-IP limits),
- IP + API key (per-client limits),
- User ID or authentication token (per-account limits).
Matching fingerprints to the right identifiers is critical to applying rate limits fairly and avoiding unintended blocking.
Availability
Section titled “Availability”Rate limiting is available on all Arcjet plans:
| Plan | Availability |
|---|---|
| Free | ✅ |
| Starter | ✅ |
| Business | ✅ |
| Enterprise | ✅ |