6d ago · 9 min read · Most engineers add rate limiting because someone told them to, or because they got hit with an abuse spike and panicked. They slap on a library, set a number, and call it done. The question of which a
Join discussionMar 18 · 6 min read · Okay, before we go into the depths of these concepts, I want to tell you that we will take it easy. I don’t want you to get overwhelmed by the jargon. We spend hours arguing about which programming la
Join discussion
Mar 13 · 3 min read · When building APIs or backend systems, one common challenge is handling too many requests at once. If a server receives a sudden spike of traffic, it may slow down or even crash. To prevent this, syst
Join discussion
Mar 9 · 9 min read · TL;DR API rate-limiting ("you can make 100 requests per minute") was designed to prevent single-source abuse. It fails catastrophically against distributed attacks. Botnets with 50,000 nodes, each making 1 request/minute, bypass your 100-req/min limi...
Join discussionJan 12 · 4 min read · In the last two articles, we solved some big problems. We know who the user is (Authentication) and we know what they are allowed to do (Authorization). At this point, you might feel like your backend is a fortress. The doors are locked, and the guar...
Join discussion
Jan 9 · 14 min read · An API rate limiter is a server-side component of a web service that limits the number of API requests a client can make to an endpoint within a period of time. For example, X (formerly known as Twitter) limits the number of tweets that a specific us...
Join discussion
Dec 31, 2025 · 6 min read · In the world of web development, the "Happy Path"—where every request succeeds instantly—is a dangerous fantasy. In reality, networks are flaky, servers crash, and APIs get overwhelmed. If your code doesn't account for these failures, your applicatio...
Join discussion
Dec 18, 2025 · 4 min read · System Design | Backend | Real-World Engineering 1. The Problem That Took Down a “Healthy” System A few years ago, one of our production APIs started timing out. CPU? Fine.Memory? Fine.Database? Fine. The real issue turned out to be surprisingly sim...
Join discussion
Nov 29, 2025 · 13 min read · I recently fell down the rabbit hole of rate limiting and decided to build my own token bucket implementation in Go. This blog covers what rate limiters actually do, why do we need them, and how you can build one from scratch yourself (preferably wit...
Join discussion
