DEV Community: Ridwan Olanrewaju Azeez The latest articles on DEV Community by Ridwan Olanrewaju Azeez (@jpegcreate). https://dev.to/jpegcreate https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3812977%2F06202522-f800-408e-a267-d1fd63e78510.jpeg DEV Community: Ridwan Olanrewaju Azeez https://dev.to/jpegcreate en Building a Distributed Rate Limiter for FastAPI with Redis (Sliding Window Algorithm) Ridwan Olanrewaju Azeez Sun, 08 Mar 2026 16:12:38 +0000 https://dev.to/jpegcreate/building-a-distributed-rate-limiter-for-fastapi-with-redis-sliding-window-algorithm-5h10 https://dev.to/jpegcreate/building-a-distributed-rate-limiter-for-fastapi-with-redis-sliding-window-algorithm-5h10 <h2> Building a Distributed Rate Limiter for FastAPI with Redis </h2> <p>Every API eventually runs into the same problem.</p> <p>A bot, scraper, or even a buggy client suddenly starts sending thousands of requests per second. When that happens, your server slows down, your database struggles, and real users start seeing errors.</p> <p>This is exactly the kind of situation <strong>rate limiting</strong> is meant to prevent.</p> <p>Recently I built <strong>RateGuard</strong>, a small Python library that adds distributed rate limiting to FastAPI using Redis. In this post I want to walk through how it works and the design decisions behind it.</p> <h2> Why I Built RateGuard </h2> <p>While working with FastAPI, I looked at a few rate limiting libraries. Most of them had at least one issue.</p> <p>Some only support <strong>in-memory limits</strong>, which means they break once your API runs on multiple servers.</p> <p>Others work in distributed setups but require more infrastructure than I wanted.</p> <p>So I decided to build something simple with a few goals in mind:</p> <ul> <li>easy to plug into FastAPI</li> <li>works across multiple servers</li> <li>accurate under heavy traffic</li> <li>simple enough to understand and maintain</li> </ul> <p>That became <strong>RateGuard</strong>.</p> <h2> What Is Rate Limiting? </h2> <p>Rate limiting controls how many requests a user can send to an API within a certain time period.</p> <p>For example:</p> <ul> <li>a user can send <strong>10 requests per minute</strong> </li> <li>after the limit is reached they receive a <code>429 Too Many Requests</code> response</li> <li>after the time window passes the limit resets</li> </ul> <p>A simple analogy is a coffee shop rule:</p> <blockquote> <p>One free coffee per customer per hour.</p> </blockquote> <p>The barista keeps track of who got a coffee and when. If you come back too soon, you have to wait.</p> <h2> Why Not Just Use a Counter? </h2> <p>A very common approach is to use a simple counter that resets every minute.</p> <p>The problem is that this method can be abused.</p> <p>Imagine your limit is <strong>10 requests per minute</strong> and the counter resets at exactly <strong>12:00:00</strong>.</p> <p>A user could do this:</p> <ul> <li>send 10 requests at 11:59:55</li> <li>the counter resets at 12:00:00</li> <li>send another 10 requests at 12:00:05</li> </ul> <p>That ends up being <strong>20 requests in about 10 seconds</strong>, even though the limit is supposed to be 10 per minute.</p> <p>This issue is called the <strong>fixed window problem</strong>.</p> <h2> The Sliding Window Approach </h2> <p>To avoid this problem, RateGuard uses the <strong>sliding window algorithm</strong>.</p> <p>Instead of resetting at fixed times, it always looks back a certain number of seconds from the current request.</p> <p>The logic looks like this:</p> <ol> <li>a request arrives at time <code>T</code> </li> <li>check all requests between <code>T - window</code> and <code>T</code> </li> <li>remove anything older than the window</li> <li>count the remaining requests</li> <li>if the count is below the limit, allow the request</li> <li>otherwise return a <code>429</code> response</li> </ol> <p>Going back to the coffee shop example, instead of resetting every hour on the clock, the barista asks:</p> <blockquote> <p>Did this person get a coffee in the last 60 minutes?</p> </blockquote> <p>The time window moves forward with every request.</p> <h2> Basic Architecture </h2> <p>RateGuard sits between incoming requests and your FastAPI application.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Client Request | v FastAPI Server | v RateGuard Middleware | v Redis Sorted Set | v Allow or Block Request </code></pre> </div> <p>Redis stores request timestamps so every server in the system can see them.</p> <h2> Why Redis? </h2> <p>Redis is a good fit for rate limiting for two main reasons.</p> <h3> Speed </h3> <p>Rate limiting runs on <strong>every request</strong>, so it has to be fast. Redis is an in-memory data store and can handle a huge number of operations per second.</p> <h3> Shared state </h3> <p>If your API runs on several servers, each one needs to know how many requests have already been made. Redis works as a shared store that all servers can read from and write to.</p> <h2> Using Redis Sorted Sets </h2> <p>RateGuard stores request data inside a <strong>Redis Sorted Set</strong>.</p> <p>A sorted set stores values with a score. The score determines the order.</p> <p>In this case:</p> <ul> <li>the <strong>score</strong> is the request timestamp</li> <li>the <strong>value</strong> is a unique request ID</li> </ul> <p>Example data:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Key: ratelimit:192.168.1.1 1709856060000 -&gt; req_abc123 1709856080000 -&gt; req_def456 1709856100000 -&gt; req_xyz789 </code></pre> </div> <p>For each request, RateGuard:</p> <ol> <li>removes entries older than the time window</li> <li>counts the remaining entries</li> <li>decides whether to allow or block the request</li> <li>records the new request</li> </ol> <p>This approach works well even when multiple servers are handling traffic.</p> <h2> Installing RateGuard </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install </span>rate-guardian </code></pre> </div> <p>You will also need a Redis instance. I used Upstash Redis, which has a generous free tier.</p> <h2> Quick Example </h2> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">os</span> <span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">FastAPI</span><span class="p">,</span> <span class="n">Request</span> <span class="kn">from</span> <span class="n">rateguard</span> <span class="kn">import</span> <span class="n">RateGuard</span><span class="p">,</span> <span class="n">RateLimitMiddleware</span><span class="p">,</span> <span class="n">rate_limit</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">FastAPI</span><span class="p">()</span> <span class="n">limiter</span> <span class="o">=</span> <span class="nc">RateGuard</span><span class="p">(</span> <span class="n">redis_url</span><span class="o">=</span><span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="sh">"</span><span class="s">UPSTASH_REDIS_REST_URL</span><span class="sh">"</span><span class="p">],</span> <span class="n">redis_token</span><span class="o">=</span><span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="sh">"</span><span class="s">UPSTASH_REDIS_REST_TOKEN</span><span class="sh">"</span><span class="p">],</span> <span class="p">)</span> <span class="n">app</span><span class="p">.</span><span class="nf">add_middleware</span><span class="p">(</span> <span class="n">RateLimitMiddleware</span><span class="p">,</span> <span class="n">limiter</span><span class="o">=</span><span class="n">limiter</span><span class="p">,</span> <span class="n">limit</span><span class="o">=</span><span class="mi">10</span><span class="p">,</span> <span class="n">window</span><span class="o">=</span><span class="mi">60</span> <span class="p">)</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">home</span><span class="p">():</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">API is protected by RateGuard</span><span class="sh">"</span><span class="p">}</span> </code></pre> </div> <p>After adding the middleware, every endpoint is automatically protected.</p> <h2> Per Route Limits </h2> <p>Sometimes you want stricter limits for certain endpoints.</p> <p>For example, a search endpoint that queries a database.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/search</span><span class="sh">"</span><span class="p">)</span> <span class="nd">@rate_limit</span><span class="p">(</span><span class="n">limiter</span><span class="p">,</span> <span class="n">limit</span><span class="o">=</span><span class="mi">5</span><span class="p">,</span> <span class="n">window</span><span class="o">=</span><span class="mi">60</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">search</span><span class="p">(</span><span class="n">request</span><span class="p">:</span> <span class="n">Request</span><span class="p">,</span> <span class="n">q</span><span class="p">:</span> <span class="nb">str</span> <span class="o">=</span> <span class="sh">""</span><span class="p">):</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">query</span><span class="sh">"</span><span class="p">:</span> <span class="n">q</span><span class="p">,</span> <span class="sh">"</span><span class="s">results</span><span class="sh">"</span><span class="p">:</span> <span class="p">[]}</span> </code></pre> </div> <p>Now <code>/search</code> only allows <strong>5 requests per minute</strong>.</p> <h2> Response Headers </h2> <p>RateGuard includes useful headers in responses.</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Header</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td>X-RateLimit-Limit</td> <td>Maximum allowed requests</td> </tr> <tr> <td>X-RateLimit-Remaining</td> <td>Requests left</td> </tr> <tr> <td>X-RateLimit-Reset</td> <td>Seconds until reset</td> </tr> <tr> <td>Retry-After</td> <td>Only present on 429 responses</td> </tr> </tbody> </table></div> <p>These help clients know when to slow down.</p> <h2> What Happens If Redis Fails? </h2> <p>One design decision I made was to <strong>fail open</strong>.</p> <p>If Redis is temporarily unavailable, requests are allowed instead of blocked.</p> <p>For most APIs, blocking all traffic because Redis is down would be worse than briefly running without rate limiting.</p> <h2> Core Logic Example </h2> <p>Here is a simplified version of the main logic:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">time</span> <span class="kn">import</span> <span class="n">uuid</span> <span class="k">def</span> <span class="nf">is_allowed</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">key</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">limit</span><span class="p">:</span> <span class="nb">int</span><span class="p">,</span> <span class="n">window</span><span class="p">:</span> <span class="nb">int</span><span class="p">):</span> <span class="n">now</span> <span class="o">=</span> <span class="nf">int</span><span class="p">(</span><span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">)</span> <span class="n">oldest</span> <span class="o">=</span> <span class="n">now</span> <span class="o">-</span> <span class="p">(</span><span class="n">window</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">)</span> <span class="n">pipe</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">redis</span><span class="p">.</span><span class="nf">pipeline</span><span class="p">()</span> <span class="n">pipe</span><span class="p">.</span><span class="nf">zremrangebyscore</span><span class="p">(</span><span class="n">key</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="n">oldest</span><span class="p">)</span> <span class="n">pipe</span><span class="p">.</span><span class="nf">zcard</span><span class="p">(</span><span class="n">key</span><span class="p">)</span> <span class="n">pipe</span><span class="p">.</span><span class="nf">zadd</span><span class="p">(</span><span class="n">key</span><span class="p">,</span> <span class="p">{</span><span class="nf">str</span><span class="p">(</span><span class="n">uuid</span><span class="p">.</span><span class="nf">uuid4</span><span class="p">()):</span> <span class="n">now</span><span class="p">})</span> <span class="n">pipe</span><span class="p">.</span><span class="nf">expire</span><span class="p">(</span><span class="n">key</span><span class="p">,</span> <span class="n">window</span><span class="p">)</span> <span class="n">results</span> <span class="o">=</span> <span class="n">pipe</span><span class="p">.</span><span class="nf">exec</span><span class="p">()</span> <span class="n">count</span> <span class="o">=</span> <span class="n">results</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="n">allowed</span> <span class="o">=</span> <span class="n">count</span> <span class="o">&lt;</span> <span class="n">limit</span> <span class="k">return</span> <span class="n">allowed</span> </code></pre> </div> <p>Using a pipeline groups the Redis operations together and avoids race conditions.</p> <h2> What's Next </h2> <p>A few improvements I plan to add:</p> <ul> <li>support for standard Redis deployments</li> <li>rate limiting by user ID</li> <li>an optional token bucket algorithm</li> <li>better metrics and monitoring</li> </ul> <h2> Try It Out </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install </span>rate-guardian </code></pre> </div> <p>GitHub: <a href="https://github.com/Jpeg-create/rate-guard" rel="noopener noreferrer">https://github.com/Jpeg-create/rate-guard</a></p> <p>PyPI: <a href="https://pypi.org/project/rate-guardian/" rel="noopener noreferrer">https://pypi.org/project/rate-guardian/</a></p> <p>If you find it useful, a ⭐ on GitHub means a lot.</p> python api redis opensource