DEV Community: Manas Kulkarni The latest articles on DEV Community by Manas Kulkarni (@manas_kulkarni_a60d00c08b). https://dev.to/manas_kulkarni_a60d00c08b https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3784953%2Fda43ff77-0727-4527-b052-27e7247dba1c.jpg DEV Community: Manas Kulkarni https://dev.to/manas_kulkarni_a60d00c08b en Node.js Token Bucket Rate Limiter Manas Kulkarni Sun, 22 Feb 2026 13:44:46 +0000 https://dev.to/manas_kulkarni_a60d00c08b/nodejs-token-bucket-rate-limiter-3n6k https://dev.to/manas_kulkarni_a60d00c08b/nodejs-token-bucket-rate-limiter-3n6k <p>This is a compact, production-minded implementation of a Token Bucket rate limiter for Express. It demonstrates a per-IP token-bucket, request logging, metrics, and a Redis-backed approach for correctness under concurrency and horizontal scaling.</p> <p>TL;DR</p> <ul> <li>Capacity: 10 tokens per IP</li> <li>Refill: 1 token / second</li> <li>Each request consumes 1 token</li> <li>State persisted in Redis; recommended atomic updates via Redis Lua scripting</li> </ul> <p>Why this project</p> <p>Implementing a simple in-memory limiter is straightforward, but it fails when multiple Node processes or concurrent requests are involved. Persisting per-IP state in Redis and performing atomic updates prevents race conditions and makes the limiter safe for production-like environments. This repo keeps the implementation small and easy to follow.</p> <p>Features</p> <ul> <li>Token Bucket algorithm (burst + steady-rate control)</li> <li>Per-IP state persisted in Redis</li> <li>Designed for atomic, server-side updates in Redis (Lua/EVAL recommended)</li> <li>Request logging via <code>pino</code> </li> <li>Minimal metrics endpoint for quick observability</li> </ul> <p>How it works</p> <ol> <li>Request arrives at <code>/api/data</code>.</li> <li>Middleware looks up per-IP token state in Redis.</li> <li>Refill and consume logic runs atomically in Redis (recommended via Lua script).</li> <li>If a token is available the middleware calls <code>next()</code>; otherwise it returns HTTP 429.</li> </ol> <p>Correctness note — why Redis</p> <p>If you do a <code>GET</code> → modify → <code>SET</code> from Node, two concurrent requests can both read the same state and both consume the same token, allowing more requests than intended. By moving the read-modify-write to Redis (a single <code>EVAL</code>/Lua call) the operation becomes atomic and Redis guarantees no interleaving between concurrent requests.</p> <p>Installation<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install</span> </code></pre> </div> <p>Run (local)</p> <p>Make sure Redis is running locally on <code>redis://localhost:6379</code> then:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>node server.js </code></pre> </div> <p>Endpoints</p> <ul> <li> <code>GET /api/data</code> — protected endpoint</li> <li> <code>GET /metrics</code> — in-memory metrics (total/allowed/blocked)</li> </ul> <p>Key files</p> <ul> <li> <code>rateLimiterMiddleware.js</code> — middleware, currently reads/writes Redis; recommended atomic update is described below</li> <li> <code>tokenBucket.js</code> — token bucket model used when state is reconstructed in JS</li> <li> <code>redisClient.js</code> — Redis connection helper</li> <li> <code>metrics.js</code> — simple in-memory counters</li> </ul> <p>Examples / code snippets</p> <p>Token bucket model (<code>tokenBucket.js</code>):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">class</span> <span class="nc">TokenBucket</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">capacity</span><span class="p">,</span> <span class="nx">refillRate</span><span class="p">)</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">capacity</span> <span class="o">=</span> <span class="nx">capacity</span><span class="p">;</span> <span class="k">this</span><span class="p">.</span><span class="nx">refillRate</span> <span class="o">=</span> <span class="nx">refillRate</span><span class="p">;</span> <span class="c1">// tokens per second</span> <span class="k">this</span><span class="p">.</span><span class="nx">tokens</span> <span class="o">=</span> <span class="nx">capacity</span><span class="p">;</span> <span class="k">this</span><span class="p">.</span><span class="nx">lastRefill</span> <span class="o">=</span> <span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">();</span> <span class="p">}</span> <span class="nf">refill</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">now</span> <span class="o">=</span> <span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">elapsed</span> <span class="o">=</span> <span class="p">(</span><span class="nx">now</span> <span class="o">-</span> <span class="k">this</span><span class="p">.</span><span class="nx">lastRefill</span><span class="p">)</span> <span class="o">/</span> <span class="mi">1000</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">toAdd</span> <span class="o">=</span> <span class="nx">elapsed</span> <span class="o">*</span> <span class="k">this</span><span class="p">.</span><span class="nx">refillRate</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">toAdd</span> <span class="o">&gt;</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">tokens</span> <span class="o">=</span> <span class="nb">Math</span><span class="p">.</span><span class="nf">min</span><span class="p">(</span><span class="k">this</span><span class="p">.</span><span class="nx">capacity</span><span class="p">,</span> <span class="k">this</span><span class="p">.</span><span class="nx">tokens</span> <span class="o">+</span> <span class="nx">toAdd</span><span class="p">);</span> <span class="k">this</span><span class="p">.</span><span class="nx">lastRefill</span> <span class="o">=</span> <span class="nx">now</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="nf">consume</span><span class="p">()</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nf">refill</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="k">this</span><span class="p">.</span><span class="nx">tokens</span> <span class="o">&gt;=</span> <span class="mi">1</span><span class="p">)</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">tokens</span> <span class="o">-=</span> <span class="mi">1</span><span class="p">;</span> <span class="k">return</span> <span class="kc">true</span><span class="p">;</span> <span class="p">}</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">module</span><span class="p">.</span><span class="nx">exports</span> <span class="o">=</span> <span class="nx">TokenBucket</span><span class="p">;</span> </code></pre> </div> <p>Simplified Redis client (<code>redisClient.js</code>):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="p">{</span> <span class="nx">createClient</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">"</span><span class="s2">redis</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">client</span> <span class="o">=</span> <span class="nf">createClient</span><span class="p">({</span> <span class="na">url</span><span class="p">:</span> <span class="dl">"</span><span class="s2">redis://localhost:6379</span><span class="dl">"</span> <span class="p">});</span> <span class="nx">client</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">"</span><span class="s2">error</span><span class="dl">"</span><span class="p">,</span> <span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">"</span><span class="s2">Redis Error:</span><span class="dl">"</span><span class="p">,</span> <span class="nx">err</span><span class="p">));</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">connectRedis</span><span class="p">()</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">client</span><span class="p">.</span><span class="nx">isOpen</span><span class="p">)</span> <span class="k">await</span> <span class="nx">client</span><span class="p">.</span><span class="nf">connect</span><span class="p">();</span> <span class="p">}</span> <span class="nx">module</span><span class="p">.</span><span class="nx">exports</span> <span class="o">=</span> <span class="p">{</span> <span class="nx">client</span><span class="p">,</span> <span class="nx">connectRedis</span> <span class="p">};</span> </code></pre> </div> <p>Example server usage (<code>server.js</code>):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">express</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">"</span><span class="s2">express</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">rateLimiter</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">"</span><span class="s2">./rateLimiterMiddleware</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">connectRedis</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">"</span><span class="s2">./redisClient</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="nf">express</span><span class="p">();</span> <span class="k">await</span> <span class="nf">connectRedis</span><span class="p">();</span> <span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">/api/data</span><span class="dl">"</span><span class="p">,</span> <span class="nx">rateLimiter</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Here is your data</span><span class="dl">"</span> <span class="p">}),</span> <span class="p">);</span> <span class="nx">app</span><span class="p">.</span><span class="nf">listen</span><span class="p">(</span><span class="mi">3000</span><span class="p">);</span> </code></pre> </div> <p>Source &amp; repo</p> <p>Full source for this project is available on GitHub: <a href="https://github.com/Manas200426/TokenRateLimiter" rel="noopener noreferrer">https://github.com/Manas200426/TokenRateLimiter</a></p> <p>Atomic Redis script (recommended)</p> <p>Use a small Lua script so refill + consume is executed inside Redis atomically. The implementation details are described in the repo documentation, but the basic flow is:</p> <ol> <li>Get current token state from Redis</li> <li>Calculate tokens to add based on elapsed time</li> <li>Cap tokens at capacity</li> <li>If tokens &gt;= 1: decrement and mark allowed, else mark blocked</li> <li>Store updated state back in Redis with TTL</li> </ol> <p>Operational tips</p> <ul> <li>Set a sensible TTL on per-IP keys to auto-expire idle entries (e.g. a couple of refill periods).</li> <li>Store <code>tokens</code> as a number and <code>lastRefill</code> as epoch ms.</li> <li>Decide fail-open vs fail-closed for Redis errors; this project currently logs errors and lets requests through.</li> </ul> <p>Credits &amp; license</p> <p>Small demo project for learning . Use as you like.</p> api backend javascript node