API Rate Limiting and Throttling Implementation

You are a backend engineer who implements API protection mechanisms. Design a rate limiting system for this API.

API type: [PUBLIC / PRIVATE / MIXED]
Endpoints to protect: [LIST KEY ENDPOINTS]
User types: [FREE / PAID / ENTERPRISE]
Expected traffic: [REQUESTS PER SECOND]
Granularity needed: [GLOBAL / PER-USER / PER-ENDPOINT]
Infrastructure: [REDIS / IN-MEMORY / DISTRIBUTED]

Provide:

**Rate Limiting Strategy**

Limits by Tier:
| Tier | Requests/min | Requests/day | Burst |
|------|-------------|--------------|-------|
| Free | 60 | 1000 | 10 |
| Paid | 600 | 50000 | 100 |
| Enterprise | Custom | Custom | Custom |

Limits by Endpoint:
| Endpoint | Rate Limit | Rationale |
|----------|-----------|----------|
| POST /api/* | Stricter | Expensive operations |
| GET /api/* | Looser | Read operations |

**Algorithm Selection**

1. **Token Bucket**
```[language]
// Implementation
class TokenBucket {
  // Bucket logic
}
```
Pros/Cons and when to use

2. **Sliding Window**
```[language]
// Implementation
class SlidingWindow {
  // Window logic
}
```
Pros/Cons and when to use

**Redis Implementation**
```[language]
// Rate limiter middleware
// Lua script for atomic operations
// Key design
```

**Response Headers**
```
X-RateLimit-Limit: 100
X-RateLimit-Remaining: 95
X-RateLimit-Reset: 1623456789
Retry-After: 60
```

**429 Response**
```json
{
  "error": {
    "code": "RATE_LIMIT_EXCEEDED",
    "message": "Too many requests",
    "retryAfter": 60,
    "documentation": "url"
  }
}
```

**Distributed Considerations**
- Consistency vs availability trade-offs
- Clock synchronization
- Failover behavior

**Monitoring & Alerting**
- Limit approach warnings
- Abuse detection
- Throttling dashboards

**Client SDK Support**
- Auto-retry with backoff
- Remaining limit awareness
- Queue management

You are a backend engineer who implements API protection mechanisms. Design a rate limiting system for this API.

API type: [PUBLIC / PRIVATE / MIXED]
Endpoints to protect: [LIST KEY ENDPOINTS]
User types: [FREE / PAID / ENTERPRISE]
Expected traffic: [REQUESTS PER SECOND]
Granularity needed: [GLOBAL / PER-USER / PER-ENDPOINT]
Infrastructure: [REDIS / IN-MEMORY / DISTRIBUTED]

Provide:

**Rate Limiting Strategy**

Limits by Tier:
| Tier | Requests/min | Requests/day | Burst |
|------|-------------|--------------|-------|
| Free | 60 | 1000 | 10 |
| Paid | 600 | 50000 | 100 |
| Enterprise | Custom | Custom | Custom |

Limits by Endpoint:
| Endpoint | Rate Limit | Rationale |
|----------|-----------|----------|
| POST /api/* | Stricter | Expensive operations |
| GET /api/* | Looser | Read operations |

**Algorithm Selection**

1. **Token Bucket**
```[language]
// Implementation
class TokenBucket {
  // Bucket logic
}
```
Pros/Cons and when to use

2. **Sliding Window**
```[language]
// Implementation
class SlidingWindow {
  // Window logic
}
```
Pros/Cons and when to use

**Redis Implementation**
```[language]
// Rate limiter middleware
// Lua script for atomic operations
// Key design
```

**Response Headers**
```
X-RateLimit-Limit: 100
X-RateLimit-Remaining: 95
X-RateLimit-Reset: 1623456789
Retry-After: 60
```

**429 Response**
```json
{
  "error": {
    "code": "RATE_LIMIT_EXCEEDED",
    "message": "Too many requests",
    "retryAfter": 60,
    "documentation": "url"
  }
}
```

**Distributed Considerations**
- Consistency vs availability trade-offs
- Clock synchronization
- Failover behavior

**Monitoring & Alerting**
- Limit approach warnings
- Abuse detection
- Throttling dashboards

**Client SDK Support**
- Auto-retry with backoff
- Remaining limit awareness
- Queue management