What it does
A fixed window counter divides time into equal slices, such as one minute, and keeps a single counter per client per window. Each request increments the counter. When the counter passes the limit, further requests in that window are rejected until the clock rolls into the next window, where the counter resets to zero.
Why people start here
- It is cheap: one integer per client per window.
- It is easy to reason about and easy to store in a key value cache with a time to live equal to the window length.
- The window boundary is derived directly from the clock, so no per request timestamp history is needed.
The boundary problem
The weakness is the edge burst. A client can send the full limit at the very end of one window and the full limit again at the start of the next. Across that short span it sends double the intended rate. The counter is correct inside each window but blind to traffic that straddles the seam.
Key idea
A fixed window counter is the cheapest limiter but lets a client burst to twice the limit across a window boundary.