DEV Community

Cover image for "Rate Limiting, Simplified": My Journey with Unkey, the Open-Source API Management Platform
Manish Kr Prasad
Manish Kr Prasad

Posted on

"Rate Limiting, Simplified": My Journey with Unkey, the Open-Source API Management Platform

As a developer, one of the most rewarding experiences is bringing an idea to life. I recently embarked on a project called devTinder, a platform designed to connect developers and tech enthusiasts for collaboration and networking. As I prepared for the deployment phase (only backend), I realized that ensuring fair usage of resources was paramount to the success of my project. I wanted to protect my application from potential misuse and abuse, so I decided to implement rate limiting using Unkey.

Why Unkey & How I came to know about Unkey?

My journey with Unkey began during the ongoing Hacktoberfest 2024, an event that celebrates open-source contributions and encourages developers to collaborate on exciting projects. As I learned more about its capabilities, I realized that Unkey also offered exactly what I needed for devTinder ie rate-limiting. Now let's answer the question why Unkey:

  • Open Source:
    Unkey is built on an open-source model, allowing developers to contribute, customize, and adapt the tool to fit their specific needs. This fosters a collaborative community that continuously improves the platform.

  • Protection Against DoS Attacks:
    With robust rate limiting features and simple to integrate, Unkey can provides essential protection against Denial of Service (DoS) attacks. It prevent excessive or abusive use of a resource and to ensure that the resource is available to all legitimate users.

  • No Credit Card Required:
    Getting started with Unkey is hassle-free—there’s no need to provide credit card information. This allows developers to explore the platform without any financial commitments, making it accessible for projects of all sizes.

Using Unkey rate-limiting feature

  1. Go to https://app.unkey.com/settings/root-keys/new

  2. Give a name and in the Workspace section make sure to check all options of Ratelimit. Then click on Create new Key.

  3. Copy your key, it will be shown as Your API key

If you feel lost, you can follow their well documented doc.
Now copy the above key in your .env file and make sure to keep the key as UNKEY_ROOT_KEY.

eg. UNKEY_ROOT_KEY="unkey_************************"

Now we need to create a file rateLimit.ts (filename is not fixed)
to store the ratelimit configuration.

rateLimitConfig

Final step

I want to protect my routes /signup and /login from being misuse, so I will protect this two routes. Below is the code

signup

login

Note: you only need those 4-5 line to get rate-limiting in your app. Yes, it's that easy and it works like magic.

Demo:

Conclusion:

If you’re considering launching your own application, I highly recommend looking into rate limiting as a means of protecting your resources and ensuring fair usage. Tools like Unkey make it easier than ever to implement these features, allowing you to focus on what you do best—building great software!

Top comments (2)

Collapse
 
rouilj profile image
John P. Rouillard

How does it do rate limiting?

  • fixed window
  • sliding window
  • token bucket
  • leaky bucket (GCRA etc.)
  • other

I noticed you are just returning a human readable error with a 429 status.

Does the ratelimit object provide the information to populate the usual machine readable rate limit headers:

  • X-RateLimit-Remaining: How many calls are left in this window.
  • X-RateLimit-Reset: window ends in this many seconds (not an epoch timestamp) and all X-RateLimit-Limit calls are available again.
  • Retry-After: if user's request fails, this is the next time there will be at least 1 available call to be consumed. Which is useful info to return in your example.

The non-standard rate limit headers:

  • X-RateLimit-Limit: calls allowed per period.
  • X-RateLimit-Limit-Period: Non standard. Defines period in seconds for X-RateLimit-Limit.

can be hardcoded to be the same as the rate limit definition.
But if you have multiple rate limits:

  • the anonymous user may be limited to 5 requests/10sec
  • a high tier user may get 30 requests/10 seconds

getting this data from the ratelimiter makes it less complicated.

Collapse
 
naprila profile image
Manish Kr Prasad

Hi John,
currently unkey uses fixed window and they are working towards sliding window for better burst.

you can refer unkey.com/docs/libraries/ts/ratelimit#ratelimitresponse regarding the ratelimit object info (Check RatelimitResponse
object).
Inshort you can get the standard rate-limit headers.
Infact, i tried highlighting in the example by using "You have ${ratelimit.remaining}".