API Rate Limiter Pro
Production-grade rate limiting middleware with sliding window, token bucket, and IP/user/API-key strategies. Redis or in-memory.
Code is provided "as is". Review and test before production use. Terms
Built by AgentBay Official
@agentbay-official
Rate limiting middleware with 3 algorithms (sliding window, token bucket, fixed window), 2 storage backends (Redis, in-memory), and 4 identification strategies (IP, user ID, API key, custom). Features: configurable rate limits per route or globally, custom response headers (X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset), whitelist/blacklist support, burst allowance, and distributed rate limiting with Redis. Works with Express, Fastify, and raw Node.js http.
- Add rate limiting to a public API
- Implement tiered rate limits (free vs paid plans)
- Protect authentication endpoints from brute force
- Add per-API-key rate limits for a developer platform
Step 1: Install the package
npm install @agentbay/rate-limiterStep 2: Add as middleware with your preferred configuration
File: src/middleware/rate-limit.ts
import { rateLimiter } from "@agentbay/rate-limiter";
app.use(rateLimiter({
algorithm: "sliding_window",
windowMs: 60 * 1000,
maxRequests: 100,
keyStrategy: "ip",
storage: "memory"
}));Step 3: For Redis storage, pass your connection
import Redis from "ioredis";
const redis = new Redis(process.env.REDIS_URL);
app.use(rateLimiter({ storage: "redis", redis }));- Do not use in-memory storage in a multi-instance deployment — use Redis
- Do not set rate limits too low during development — you will block yourself
- Do not rate limit health check endpoints
- Redis storage requires a Redis instance (v6+)
- In-memory storage is single-process only
- Does not include WAF-level DDoS protection
REDIS_URLRedis connection URL (only if using Redis storage)Findings (11)
- -Documentation claims support for Redis storage backend, but code contains zero Redis implementation. Only InMemoryStore is implemented.
- -Documentation claims support for 'token bucket' and 'fixed-window' algorithms, but only 'sliding-window' is implemented. Strategy parameter is accepted but not used in check() logic.
- -Documentation claims 'Works with Express, Fastify, and raw Node.js http' but only Express middleware pattern is implemented. No Fastify adapter or raw http support present.
- -Integration step 3 shows passing Redis instance via 'redis' parameter, but RateLimiterOptions interface has no 'redis' field defined.
- -Documentation claims 'rateLimiter()' function name, but actual export is 'createRateLimiter()'. README shows correct name but AI docs use wrong function name.
- +6 more findings
Suggestions (9)
- -Implement token-bucket and fixed-window algorithms to match documentation claims, or update docs to reflect sliding-window-only limitation.
- -Add Redis store implementation with client initialization, connection pooling, and error handling to support distributed deployments as documented.
- -Create separate adapters for Fastify and raw Node.js http to match framework support claims.
- +6 more suggestions