Protect your API from abuse and learn how rate limiting works under the hood.
When developing web apps or APIs, it’s critical to prevent users from overwhelming your server. That’s where rate limiting comes in. In this guide, we’ll build a custom rate limiter in Node.js using Redis—no libraries, no magic, just code you control and understand.
What You’ll Learn
- How to use Redis to count and throttle requests
- How to implement reusable middleware in Express
- How to rate limit by IP or API key
- Why this method is better for learning and customization
Prerequisites
- Node.js installed
- Redis running locally (or via Docker)
- Basic Express.js knowledge
Step 1: Set Up the Project
mkdir node-rate-limiter
cd node-rate-limiter
npm init -y
npm install express redis dotenvCreate a .env file:
REDIS_URL=redis://localhost:6379Step 2: Connect to Redis
// redisClient.js
const redis = require("redis");
const client = redis.createClient({ url: process.env.REDIS_URL });
client.on("error", (err) => console.error("Redis error:", err));
client.connect();
module.exports = client;Step 3: Write the Rate Limiting Middleware
// rateLimiter.js
const client = require("./redisClient");
const rateLimiter = (limit = 100, windowSec = 3600) => {
return async (req, res, next) => {
const ip = req.ip;
const key = `rate_limit:${ip}`;
const current = await client.get(key);
if (current !== null && parseInt(current) >= limit) {
return res.status(429).json({ error: "Too many requests. Try later." });
}
const multi = client.multi();
multi.incr(key);
if (!current) {
multi.expire(key, windowSec);
}
await multi.exec();
next();
};
};
module.exports = rateLimiter;Step 4: Use It in Your Express App
// server.js
require("dotenv").config();
const express = require("express");
const rateLimiter = require("./rateLimiter");
const app = express();
const PORT = 3000;
app.use(rateLimiter(100, 3600)); // 100 requests/hour per IP
app.get("/", (req, res) => {
res.send("Welcome! You're within rate limit.");
});
app.listen(PORT, () => {
console.log(`Server running on http://localhost:${PORT}`);
});Step 5: Test It
Use Postman or curl:
curl http://localhost:3000After 100 requests within an hour, you’ll get:
{
"error": "Too many requests. Try later."
}Bonus: Rate Limit by API Key
Instead of IP address, use API keys for user-specific limits:
const userKey = req.headers['x-api-key'] || req.ip;
const key = `rate_limit:${userKey}`;You can now:
- Offer different limits for free vs paid users
- Log or monitor usage per user
Why This Is Valuable
This isn’t just a quick fix—it’s a deep dive into:
- Atomic operations with Redis
- Manual request tracking logic
- Flexibility to customize based on business rules
You’re no longer blindly relying on a package—you understand and control the system.
What’s Next?
Want to extend this?
- Implement sliding windows
- Use Redis tokens (token bucket)
- Add real-time dashboards or admin controls
If you're building any kind of real API, this knowledge will serve you well.
Have questions or want a follow-up tutorial? Leave a comment or reach out—we’d love to help.
More practical Node.js guides →