Why Use Rate Limiting?
Rate limiting helps you:- Prevent abuse from malicious users or bots.
- Protect backend services from traffic spikes.
- Ensure fair usage in multi-tenant environments.
- Enforce service quotas aligned with billing tiers.
- Control AI token usage for LLM-based applications.
What TrustGate Offers
TrustGate includes built-in support for the following rate limiting strategies:| Strategy | Description |
|---|---|
| Per Fingerprint | Limits requests using a unique device/browser fingerprint. More robust than IP-only limits and ideal for anonymous users. |
| Per IP | Limits requests based on client IP address. Useful for blocking abusive IPs or preventing spam. |
| Per User ID | Tracks usage per authenticated user. Ideal for SaaS and authenticated API scenarios. |
| Global | Applies a global cap across all users and IPs. Acts as a system-wide fail-safe against overload. |
| Token-Based | Controls requests based on token consumption (e.g., LLM usage). Especially useful for AI workloads. |
Configuration Overview
Each limiter supports granular settings via the plugin configuration, including:limit: Maximum allowed requests or tokens.window: Duration in which the limit applies (e.g.,30s,1m,1h).actions: What to do when limits are exceeded (e.g.,reject,block, orretry_after).headers: Rate limit feedback headers are automatically added to responses.
Response Headers
TrustGate exposes rate limit feedback through response headers:{type} is one of: global, per_ip, per_user, per_fingerprint, or tokens.
Best Practices
- Combine per-IP, per-user, and global limits for layered protection.
- Use token-based limits when handling AI/LLM requests to prevent excessive consumption.
- Monitor rate limit headers and metrics to adjust thresholds as your traffic evolves.
- Leverage
retry_afterto guide clients on when they can retry.
Ready to dive into each type? See: