← Lessons

quiz vs the machine

Gold1340

System Design

Rate Limit By Api Key vs Ip vs User

The identity you key the limiter on decides who shares a budget and who gets blocked unfairly.

4 min read · core · beat Gold to climb

Choosing the key

A rate limiter counts requests per key. The choice of key decides who shares a quota and who is isolated. Three common keys each have tradeoffs.

The three options

  • By IP address: works for anonymous traffic, but many users behind one office or carrier NAT share an address, so one heavy user can throttle a whole building. Attackers can also rotate IPs cheaply.
  • By API key: ideal for paid programmatic access. The key maps to an account, so the budget is precise and tied to billing. It only works when callers authenticate.
  • By user identity: ties the limit to a logged in account regardless of device or network, which is the fairest for human users but requires authentication.

Combining keys

Real systems often layer keys: a coarse per IP limit to blunt anonymous abuse, plus a precise per API key or per user limit once the caller is identified.

Key idea

The limiter key chooses who shares a budget, so pick IP for anonymous traffic and API key or user identity for authenticated callers.

Check yourself

Answer to earn rating on the learn ladder.

1. Why can limiting by IP be unfair?

2. When is keying by API key the best fit?