PRODUCTION READY · 3 ALGORITHMS · ATOMIC LUA SCRIPTS · REAL-TIME DASHBOARD
Distributed rate limiting
done right.
Express middleware that identifies callers by API key or IP, runs an atomic Lua script in Redis, and allows or blocks — with zero race conditions across any number of instances.
INTERACTIVE DEMO
Fire real requests. Watch it block.
Hits the live production API on Render + Upstash Redis. Press ×8 to drain the limit and trigger a 429.
GET /demo/publicDivides time into fixed buckets. Fast and simple. Vulnerable to boundary burst attacks.
GET /demo/authenticatedAlways looks at the last N milliseconds using a Redis sorted set. Eliminates boundary edge cases.
POST /demo/expensiveTokens refill over time. Allows bursting up to capacity then throttles to refill rate. Used by Stripe.
Every request above is tracked live on the dashboard
Real-time chart · allowed vs blocked · top blocked identifiers · SSE live feed
HOW IT WORKS
x-api-key header takes priority. Falls back to x-forwarded-for then socket IP. Every caller gets an isolated Redis key.
One script runs inside Redis. Read, decide, write — one indivisible operation. No race condition possible at any scale.
X-RateLimit-Limit, Remaining, Reset on every response. Retry-After on every 429. Clients always know their state.
Redis down? Each route is configured fail-open or fail-closed independently. No silent failures, no surprise outages.
USAGE
One line to protect any route.
// protect any route in one line app.use('/api', createRateLimiter({ algorithm: 'sliding', limit: 100, windowMs: 60_000, })); // token bucket for burst-tolerant endpoints app.post('/api/payment', createRateLimiter({ algorithm: 'token', capacity: 10, refillRate: 2, failOpen: false, // fail-closed on Redis outage }), paymentHandler );
See it live.
Real-time charts, SSE event feed, top blocked identifiers.