Token Bucket — a rate-limiting algorithm where a "bucket" is filled with tokens at a constant rate (r tokens/sec). Each request consumes 1 token. If the bucket is empty → reject. If full → no new tokens added. Allows bursts (up to bucket capacity) on top of the average rate. Alternatives: leaky bucket (no burst), sliding window (precise but expensive), fixed window (edge effects).
Below: details, example, related terms, FAQ.
Free online tool — HTTP header checker: instant results, no signup.
# Redis Lua pseudocode
local tokens = redis.call("GET", key) or capacity
tokens = min(capacity, tokens + (now - last_refill) * rate)
if tokens >= 1 then
redis.call("SET", key, tokens - 1)
return allow
else
return deny
endThe Token Bucket algorithm is a popular method for controlling the rate of traffic sent to a network. It allows for bursty traffic while still enforcing an average rate limit. The algorithm operates using two main parameters: the rate at which tokens are added to the bucket (r tokens/sec) and the maximum capacity of the bucket (B tokens). When a request is made, it consumes one token from the bucket. If the bucket has tokens available, the request is processed; if not, the request is rejected.
This mechanism ensures that applications can handle sudden bursts of traffic without overwhelming the system, as long as the average rate does not exceed the specified limit. The algorithm is particularly useful in scenarios where user behavior is unpredictable, such as web services and APIs.
Additionally, the Token Bucket algorithm is less restrictive compared to the Leaky Bucket algorithm, which enforces a constant outflow rate, making it more suitable for applications that experience variable traffic patterns.
NGINX Configuration:
To implement Token Bucket rate limiting in NGINX, you can use the limit_req_zone directive. Here is an example configuration:
http { limit_req_zone $binary_remote_addr zone=mylimit:10m rate=1r/s; server { location /api/ { limit_req zone=mylimit burst=5 nodelay; } }}In this example, the rate is set to 1 request per second, with a burst capacity of 5 requests, allowing for short bursts of traffic while maintaining an average rate.
Rate limiting is essential for protecting systems from abuse and ensuring fair resource allocation. The Token Bucket algorithm is often compared with other rate-limiting techniques, including the Leaky Bucket, Sliding Window, and Fixed Window algorithms. Understanding the differences can help in selecting the most appropriate algorithm for a given application.
Leaky Bucket: Unlike the Token Bucket, the Leaky Bucket algorithm enforces a strict output rate. It processes requests at a constant rate, regardless of incoming traffic bursts. This approach effectively smooths out bursts but can lead to delays in processing if the incoming rate exceeds the specified limit.
Sliding Window: The Sliding Window algorithm offers precise control over request rates by keeping track of requests over a fixed time window. While it allows for more accurate rate limiting, it is computationally more expensive due to the need for maintaining state information for each request.
Fixed Window: The Fixed Window algorithm divides time into fixed intervals and counts the number of requests within each interval. This can lead to edge effects, where a burst at the end of one interval may cause denial of service at the start of the next interval. The Token Bucket's flexibility in allowing bursts mitigates this issue.
In summary, the choice of a rate-limiting algorithm should be based on the specific needs of the application, considering factors like burst tolerance, complexity, and resource management.
Token bucket: simple O(1), allows bursts. Sliding window: precise count over any time window, but O(log n) or Redis sorted-set overhead.
Average rate (r) = your target RPS. Capacity = typical burst (10-30 sec worth). E.g. 10 req/sec average + 300 capacity = 30 sec burst.
Both. per-IP defends anonymous abuse. per-user defends credential stuffing after login.
Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.