We use rate-limit and complexity-limit to avoid a single person using too many api ressources.
We use the leaky bucket algorithm. The leaky bucket algorithm makes use of a queue that accepts and processes requests in a first-in, first-out (FIFO) manner. As requests get queued up, they are processed at a constant rate. This means that even when the server is hit with a burst of traffic, the outgoing responses are still sent out at the same rate. Once the queue is filled up, the server will drop any more incoming requests until space is freed up for more.
To keep track of the remaining amount, we sent back 4 HTTP response headers for each request:
The maximum number of API requests you're permitted to make per hour.
The number of requests allowed for a given number of seconds.
The number of API requests remaining in the current rate limit window.