Rate Limiting
BetaThe Rate Limiting API lets you define rate limits and write code around them in your Worker.
You can use it to enforce:
- Rate limits that are applied after your Worker starts, only once a specific part of your code is reached
- Different rate limits for different types of customers or users (ex: free vs. paid)
- Resource-specific or path-specific limits (ex: limit per API route)
- Any combination of the above
The Rate Limiting API is backed by the same infrastructure that serves the Rate limiting rules that are built into the Cloudflare Web Application Firewall (WAF).
Get started
First, add a binding to your Worker that gives it access to the Rate Limiting API:
This binding makes the MY_RATE_LIMITER
binding available, which provides a limit()
method:
The limit()
API accepts a single argument — a configuration object with the key
field.
- The key you provide can be any
string
value. - A common pattern is to define your key by combining a string that uniquely identifies the actor initiating the request (ex: a user ID or customer ID) and a string that identifies a specific resource (ex: a particular API route).
You can define and configure multiple rate limiting configurations per Worker, which allows you to define different limits against incoming request and/or user parameters as needed to protect your application or upstream APIs.
For example, here is how you can define two rate limiting configurations for free and paid tier users:
Configuration
A rate limiting binding has three settings:
namespace_id
(number) - a positive integer that uniquely defines this rate limiting configuration - e.g.namespace_id = "999"
.limit
(number) - the limit (number of requests, number of API calls) to be applied. This is incremented when you call thelimit()
function in your Worker.period
(seconds) - must be10
or60
. The period to measure increments to thelimit
over, in seconds.
For example, to apply a rate limit of 1500 requests per minute, you would define a rate limiting configuration as follows:
Best practices
The key
passed to the limit
function, that determines what to rate limit on, should represent a unique characteristic of a user or class of user that you wish to rate limit.
- Good choices include API keys in
Authorization
HTTP headers, URL paths or routes, specific query parameters used by your application, and/or user IDs and tenant IDs. These are all stable identifiers and are unlikely to change from request-to-request. - It is not recommended to use IP addresses or locations (regions or countries), since these can be shared by many users in many valid cases. You may find yourself unintentionally rate limiting a wider group of users than you intended by rate limiting on these keys.
Locality
Rate limits that you define and enforce in your Worker are local to the Cloudflare location ↗ that your Worker runs in.
For example, if a request comes in from Sydney, Australia, to the Worker shown above, after 100 requests in a 60 second window, any further requests for a particular path would be rejected, and a 429 HTTP status code returned. But this would only apply to requests served in Sydney. For each unique key you pass to your rate limiting binding, there is a unique limit per Cloudflare location.
Performance
The Rate Limiting API in Workers is designed to be fast.
The underlying counters are cached on the same machine that your Worker runs in, and updated asynchronously in the background by communicating with a backing store that is within the same Cloudflare location.
This means that while in your code you await
a call to the limit()
method:
You are not waiting on a network request. You can use the Rate Limiting API without introducing any meaningful latency to your Worker.
Accuracy
The above also means that the Rate Limiting API is permissive, eventually consistent, and intentionally designed to not be used as an accurate accounting system.
For example, if many requests come in to your Worker in a single Cloudflare location, all rate limited on the same key, the isolate that serves each request will check against its locally cached value of the rate limit. Very quickly, but not immediately, these requests will count towards the rate limit within that Cloudflare location.
Examples
@elithrar/workers-hono-rate-limit
↗ — Middleware that lets you easily add rate limits to routes in your Hono ↗ application.@hono-rate-limiter/cloudflare
↗ — Middleware that lets you easily add rate limits to routes in your Hono ↗ application, with multiple data stores to choose from.