hitlimit is an open-source rate limiting library for Node.js and Bun created by JointOps. It provides sub-millisecond performance with 5.96M ops/sec (Node.js) and 7.73M ops/sec (Bun), over 4x faster than express-rate-limit. It has a ~8KB bundle (Node.js) or ~18KB (Bun) with zero runtime dependencies. It supports Express, Fastify, Hono, NestJS, Bun.serve, and Elysia frameworks with 8 storage backends: memory, SQLite, Redis, Valkey, DragonflyDB, Postgres, MongoDB, and MySQL.

Is hitlimit faster than express-rate-limit?

Yes, hitlimit is over 4x faster than express-rate-limit in high-traffic benchmarks. It achieves 4.08M operations per second compared to 824K for express-rate-limit (10K unique IPs, memory store, Node.js). Both have zero runtime dependencies.

How do I install hitlimit?

Install hitlimit using npm: 'npm install @joint-ops/hitlimit' for Node.js or 'bun add @joint-ops/hitlimit-bun' for Bun. Then import and configure: const limiter = hitlimit({ limit: 100, window: '1m' }); app.use(limiter);

Does hitlimit support Redis?

Yes, hitlimit supports Redis for distributed rate limiting across multiple servers using atomic Lua scripts via ioredis defineCommand(). Import redisStore from '@joint-ops/hitlimit/stores/redis' and pass it as the store option. hitlimit supports 8 stores: memory (default), SQLite, Redis, Valkey, DragonflyDB, Postgres, MongoDB, and MySQL.

Can I use hitlimit with Express?

Yes, hitlimit works as Express middleware. Install @joint-ops/hitlimit, then use app.use(hitlimit({ limit: 100, window: '1m' })). It is a drop-in replacement for express-rate-limit with better performance.

Can I use hitlimit with NestJS?

Yes, hitlimit integrates with NestJS as an alternative to @nestjs/throttler. Import the hitlimit middleware and apply it globally or to specific routes for rate limiting protection.

What is the difference between hitlimit and rate-limiter-flexible?

hitlimit is faster in memory benchmarks (4.08M ops/sec vs 1.26M at 10K IPs). hitlimit also wins in Redis and Postgres benchmarks. rate-limiter-flexible has more storage backends (14 vs 8) and weighted requests. hitlimit offers simpler configuration, built-in SaaS tier support, 8 framework adapters, and human-readable time windows.

Does hitlimit work with Bun?

Yes, hitlimit has a dedicated Bun package (@joint-ops/hitlimit-bun) optimized for Bun runtime. It works with Bun.serve(), Elysia, and Hono frameworks, achieving 7.73M+ ops/sec peak performance. It includes native bun:sqlite integration and supports all 8 storage backends.

Does hitlimit support Valkey?

Yes, hitlimit has a dedicated Valkey store for distributed rate limiting. Valkey is the Linux Foundation's open-source fork of Redis (BSD-3-Clause license). Import valkeyStore from '@joint-ops/hitlimit/stores/valkey' — it uses the same ioredis client and atomic Lua scripts as the Redis store. Zero migration effort if you're switching from Redis to Valkey.

Does hitlimit support DragonflyDB?

Yes, hitlimit has a dedicated DragonflyDB store for high-throughput distributed rate limiting. DragonflyDB is a multi-threaded Redis-compatible in-memory store. Import dragonflyStore from '@joint-ops/hitlimit/stores/dragonfly' — it uses the same ioredis client and benefits from DragonflyDB's parallel Lua script execution across different keys.

Does hitlimit support MongoDB?

Yes, hitlimit has a MongoDB store for distributed rate limiting. It uses atomic findOneAndUpdate operations with aggregation pipelines and TTL indexes for automatic cleanup. Import mongoStore from '@joint-ops/hitlimit/stores/mongodb' and pass your MongoDB Db instance. Works with MongoDB Atlas, self-hosted MongoDB, and DocumentDB. Ideal for MEAN/MERN stacks.

Does hitlimit support MySQL?

Yes, hitlimit has a MySQL store for distributed rate limiting. It uses INSERT ON DUPLICATE KEY UPDATE with LAST_INSERT_ID() for atomic operations and InnoDB row-level locking. Import mysqlStore from '@joint-ops/hitlimit/stores/mysql' and pass a mysql2 connection pool. Works with MySQL 5.7+, 8.x, and MariaDB 10.5+. Ideal for LAMP stacks.

v1.4.0 — MongoDB, MySQL, Valkey & DragonflyDB stores

Rate limiting that doesn't slow you down

Name: hitlimit
Rating: 5 (1 reviews)
Author: JointOps

7M+ ops/sec on a single core. Express, Fastify, Hono, NestJS, Bun.serve, Elysia — one API across every framework. ~8KB core, zero dependencies.

Get Started View on GitHub

MIT License TypeScript-first Zero dependencies 8 storage backends

server.ts

import { hitlimit } from '@joint-ops/hitlimit'
import express from 'express'

const app = express()

app.use(hitlimit({
  limit: 100,
  window: '1m'
})) // That's it!

import { Elysia } from 'elysia'
import { hitlimit } from '@joint-ops/hitlimit-bun/elysia'

new Elysia()
  .use(hitlimit({
    limit: 100,
    window: '1m'
  }))
  .get('/', () => 'Hello!')
  .listen(3000) // That's it!

$ npm i @joint-ops/hitlimit

One library, every runtime

Same API on both runtimes. Switch between Node.js and Bun without changing your rate limiting code.

Node.js

@joint-ops/hitlimit

Express Fastify Hono NestJS Node.js HTTP

$ npm i @joint-ops/hitlimit

Node.js Docs

Bun

@joint-ops/hitlimit-bun

Bun.serve Elysia Hono

$ bun add @joint-ops/hitlimit-bun

Bun Docs

Not sure which to use? Both share the same API. Start with your runtime and switch anytime.

0.0M+

ops/sec

Node.js (10K IPs)

0.0M+

ops/sec

Bun (10K IPs)

<0ms

Latency

p95 response time

Dependencies

for core module

Numbers you can reproduce

Every benchmark is open source. Tested on Apple M1 Pro, single core. Run them yourself →

Store	Node.js	Bun	Best For
Memory	4.08M ops/s	5.57M ops/s	Highest throughput
SQLite	404K ops/s	372K ops/s	Persistent storage
MongoDB	2.2K ops/s	2.1K ops/s	Distributed (NoSQL)

10K unique IPs. Node.js v24 / Bun v1.3.7, Apple M1. Redis is network-bound. Our benchmarks — done our best to keep them fair. Full results → · Run them yourself

Built for SaaS

Your pricing page has tiers. So should your limiter.

With express-rate-limit, you create a separate middleware for every plan and wire them together yourself. With hitlimit, tiers are a config option.

Before

express-rate-limit

// Create separate limiters for each tier
const freeLimiter = rateLimit({
  windowMs: 60 * 60 * 1000, // 1 hour?
  max: 100
})

const proLimiter = rateLimit({
  windowMs: 60 * 60 * 1000,
  max: 5000
})

const enterpriseLimiter = rateLimit({
  windowMs: 60 * 60 * 1000,
  max: 100000
})

// Manual routing logic
app.use((req, res, next) => {
  const tier = getUserTier(req)
  if (tier === 'enterprise') {
    return enterpriseLimiter(req, res, next)
  } else if (tier === 'pro') {
    return proLimiter(req, res, next)
  }
  return freeLimiter(req, res, next)
})

25 lines Manual tier logic Milliseconds

After

hitlimit — Node.js & Bun

// Works with Express, Fastify, Hono, Bun.serve, Elysia...
hitlimit({
  tiers: {
    free: { limit: 100, window: '1h' },
    pro: { limit: 5000, window: '1h' },
    enterprise: { limit: Infinity }
  },
  tier: (req) => req.user?.plan || 'free'
})

7 lines Built-in tiers Human time Any runtime

3x less code for the same result

Why teams switch to hitlimit

Less code, faster throughput, and every store from memory to Postgres. Here's what you get out of the box.

Benchmarked, Not Claimed

5.96M ops/sec on Node.js. 7.73M ops/sec on Bun. Single-core, reproducible benchmarks you can run yourself.

One Line to Protect

hitlimit({ limit: 100, window: '1m' }) — that's your entire setup. Human-readable windows, sensible defaults, done.

Ships Nothing Extra

~8KB core bundle. Zero runtime dependencies. Tree-shakeable — you only pay for what you import.

Built-in SaaS Tiers

Define Free, Pro, and Enterprise limits in one config object. No manual routing, no separate middleware instances.

Your Framework, Covered

8 built-in adapters: Express, Fastify, Hono, NestJS, Node.js HTTP, Bun.serve, Elysia. Drop in and go.

Auto-Ban Abusers

Automatic ban escalation for repeat offenders. Configurable thresholds and durations. Your API fights back.

Honest side-by-side

We show what we don't support yet, too. No hidden footnotes.

Feature	hitlimit	express-rate-limit	rate-limiter-flexible	@nestjs/throttler
Framework adapters	8 built-in	1	DIY	1
Human time windows	'15m'	900000	900	60000
Tiered limits (SaaS)	Built-in	Manual	Manual	Per-route
Bun native support	bun:sqlite
Auto-ban on abuse
Storage backends	8	5	14	2
Standard headers	Both	Both	Manual	Legacy
MongoDB / MySQL / Postgres		External
Weighted requests Planned

Built-in

Manual External / DIY

Planned On roadmap

Ready for your stack

Copy-paste examples for common patterns. Each one works with any framework and any store.

🚀

SaaS APIs

Ship Free, Pro, and Enterprise tiers with a single config. No per-plan middleware wiring.

See example

🛒

E-Commerce

Rate limit cart, checkout, and payment endpoints separately. Stop inventory hoarding bots.

See example

🎮

Gaming

Protect matchmaking and leaderboard APIs. Auto-ban repeat abusers without custom code.

See example

🔐

Authentication

Strict limits on login and reset endpoints. Escalating bans for brute force attempts.

See example