Skip to content

Arcjet rate limiting

Arcjet rate limiting allows you to define rules which limit the number of requests a client can make over a period of time.

What is Arcjet? Arcjet helps developers protect their apps in just a few lines of code. Implement rate limiting, bot protection, email validation, and defense against common attacks.

Why do you need rate limiting?

Rate limiting is a common technique used to prevent abuse of your application. It can be used to:

  • Prevent brute force attacks on your login page. E.g. a user can only attempt to login 5 times in a 5 minute period. This prevents an attacker from trying multiple username or password combinations.
  • Prevent API clients from making too many requests. E.g. a client can only make 100 requests per minute. This prevents a client from overloading your API.
  • Implement quotas e.g. a free tier client can only make 1000 requests per day.

Rate limit algorithms

Arcjet supports 3 different rate limit algorithms: fixed window, sliding window and token bucket.

Rate limit rules

Arcjet allows you to define one or many rate limit rules. Each rule has a set of configuration options depending on the algorithm used. See the Configuration documentation for more details.

How it works

Arcjet rate limiting keeps track of the number of requests made by a client based on certain characteristics such as a specific HTTP header or an authentication token. If no characteristics are provided, clients are tracked by IP address by default. When a client exceeds the limit, they are blocked from making any further requests until the reset time indicated in the response.

Unlike other rate limiting systems, Arcjet does not require any other infrastructure to keep track of state. Tracking is handled by Arcjet’s API, which runs close to your application e.g. in the same AWS region. This means you can use Arcjet to implement rate limiting without using a system like Redis. All you need to do is install the Arcjet SDK and define the rules, we manage everything for you.

Using Arcjet rate limiting requires a call to our API to manage state, so adds a small overhead of 10-20ms per request. Once a client is blocked, Arcjet can cache the decision locally within your infrastructure e.g. by using an in-memory cache. This allows subsequent requests to return a block decision in < 1ms.

Blocking based on fingerprint

If Arcjet detects rate limit excesses, it will block further traffic based on a fingerprint of the client, which includes the IP address by default. This decision is cached locally for a period based on the rate limit configuration.

This could temporarily block traffic from legitimate clients using the same IP address. To ensure that rate limits are applied correctly we recommend that you carefully select characteristics so that will not result in the same fingerprint being generated for different users.

Discussion