Inbound rate limiting middleware with token bucket

4493 views

                  package middleware

import (
  "net/http"

  "golang.org/x/time/rate"
)

func RateLimit(l *rate.Limiter) func(http.Handler) http.Handler {
  return func(next http.Handler) http.Handler {
    return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
      if !l.Allow() {
        http.Error(w, "too many requests", http.StatusTooManyRequests)
        return
      }
      next.ServeHTTP(w, r)
    })
  }
}

If you expose an API to the public internet, you need a basic guardrail against bursts. I like a token bucket with rate.NewLimiter because it’s easy to reason about: steady-state rate plus a burst capacity. The middleware checks Allow() and returns 429 quickly when the limit is exceeded, which protects your database and downstream services. The important detail is scope: a global limiter is useful for protecting the whole service, but per-client limiting is usually better. In production, I combine this with an IP-based key (or authenticated principal) and a shared store if I need global enforcement across instances. Even as a local limiter, it’s a helpful first line of defense and keeps your service from getting overwhelmed by accidental client loops.

Leah Thompson

More from Leah Thompson

Inbound rate limiting middleware with token bucket

0 Comments

More from Leah Thompson