Token bucket vs. leaky bucket — which should I use?

Token bucket allows bursts up to the bucket size, then throttles — better for APIs. Leaky bucket enforces a strictly constant output rate — better for traffic shaping at network layer.

What HTTP status code do rate-limited requests return?

429 Too Many Requests (RFC 6585). Include a Retry-After header with the number of seconds until the limit resets. Some legacy systems incorrectly return 503 — 429 is correct.

Rate Limiter Calculator | DevTools Surf

DevTools Surf

About Rate Limiter Calculator

Rate Limiter Calculator preview - Developer Utilities tool

Calculate rate limiting scenarios with token bucket algorithms and capacity planning. Part of the DevTools Surf developer suite. Browse more tools in the Developer Utilities collection.

Use Cases

Calculate token bucket parameters (refill rate, bucket capacity) for an API endpoint.
Size rate limits for a public API tier to prevent any single user from consuming disproportionate capacity.
Determine appropriate limits for a login endpoint to throttle brute-force attacks without blocking legitimate users.
Model how different algorithms (token bucket, leaky bucket, sliding window) handle traffic spikes differently.

Tips

Calculate burst allowance separately from sustained rate — token bucket allows short bursts above the average rate, which is critical for handling legitimate traffic spikes.
Set rate limits at the 95th percentile of normal traffic, not the peak — this catches abusers without blocking heavy-but-legitimate users.
Apply rate limits at multiple layers: per-IP, per-user, and per-endpoint, with progressively tighter limits closer to the database.

Fun Facts

Twitter (now X) introduced its API rate limits in 2010 after a series of outages caused by third-party application traffic. The initial limit was 150 requests per hour per IP.
The token bucket algorithm, one of the most common rate limiting approaches, was first described by J.W. Roberts in a 1979 IEEE paper on queuing theory for packet networks.
Cloudflare processes over 45 million HTTP requests per second at peak and uses a distributed rate limiting system that makes decisions in under 1ms without centralized state.

FAQ

Token bucket vs. leaky bucket — which should I use?: Token bucket allows bursts up to the bucket size, then throttles — better for APIs. Leaky bucket enforces a strictly constant output rate — better for traffic shaping at network layer.
What HTTP status code do rate-limited requests return?: 429 Too Many Requests (RFC 6585). Include a Retry-After header with the number of seconds until the limit resets. Some legacy systems incorrectly return 503 — 429 is correct.

Related Developer Utilities Tools

Collection JSON → cURL Git Diff → HTML Regex Visualizer Makefile Explainer Shell Script Linter GitHub Actions Visualizer HAR File Viewer API Response Mocker