Rate Limiting

Rate limiting is a defensive technique that caps the number of requests a client can make to your API within a time window. For example: "100 requests per minute per user." Requests beyond the limit receive a 429 (Too Many Requests) response and must wait before retrying.

Rate limiting protects against abuse (someone scraping your entire database), accidental loops (a buggy client sending thousands of requests), and cost overruns (AI API calls are expensive, and an unthrottled endpoint can run up a massive bill in minutes).

Common implementations use Redis or in-memory stores to track request counts. Libraries like Upstash Rate Limit make it trivial to add to Next.js API routes. For vibe coders, rate limiting is essential on any endpoint that calls a paid API (OpenAI, Anthropic, Stripe) or performs expensive operations.