The fastest way to say no
Lightning-fast rate limiting for Node.js, Bun, and beyond. Protect your APIs with sub-millisecond performance.
import { hitlimit } from '@joint-ops/hitlimit'
const limiter = hitlimit({
limit: 100,
window: '1m',
store: 'sqlite'
})
app.use(limiter) // That's it!Everything you need to protect your APIs
Built for performance, designed for developers. Rate limiting that doesn't slow you down.
Blazing Fast
500K+ ops/sec with memory store. 95K+ ops/sec with Bun's native SQLite. Sub-millisecond latency.
Zero Config
One line to start. Sensible defaults for everything. Human-readable time windows like '15m' and '1h'.
Tiny Bundle
~5KB minified. No bloat. Tree-shakeable. Fast to install. Zero unnecessary dependencies.
Tiered Limits
Free, Pro, Enterprise tiers built-in. No extra code needed. Perfect for SaaS applications.
Every Framework
Express, NestJS, Node.js HTTP, Bun.serve, Elysia. One API that works everywhere you do.
Fail Safe
Per-request error handling. Decide fail-open or fail-closed for each endpoint. Critical routes stay protected.
See the difference
Built-in tiered limits mean less code and fewer bugs. Compare implementing user tiers.
// Create separate limiters for each tier
const freeLimiter = rateLimit({
windowMs: 60 * 60 * 1000, // 1 hour?
max: 100
})
const proLimiter = rateLimit({
windowMs: 60 * 60 * 1000,
max: 5000
})
const enterpriseLimiter = rateLimit({
windowMs: 60 * 60 * 1000,
max: 100000
})
// Manual routing logic
app.use((req, res, next) => {
const tier = getUserTier(req)
if (tier === 'enterprise') {
return enterpriseLimiter(req, res, next)
} else if (tier === 'pro') {
return proLimiter(req, res, next)
}
return freeLimiter(req, res, next)
})app.use(hitlimit({
tiers: {
free: { limit: 100, window: '1h' },
pro: { limit: 5000, window: '1h' },
enterprise: { limit: Infinity }
},
tier: (req) => req.user?.plan || 'free'
}))How hitlimit compares
See why developers are switching to hitlimit for rate limiting.
| Feature | hitlimit | express-rate-limit | rate-limiter-flexible | @nestjs/throttler |
|---|---|---|---|---|
| Zero-config setup | ||||
| Tiered limits (SaaS) USP | Built-in | Manual | Manual | |
| Human time windows USP | '15m' | 900000 | 900 | 60000 |
| Bun native support USP | bun:sqlite | |||
| Express adapter | DIY | |||
| NestJS adapter | DIY | |||
| Elysia adapter USP | ||||
| SQLite store | ||||
| Redis store | External | External | ||
| Per-request fail mode USP | ||||
| Skip/whitelist | ||||
| Standard headers | Both | Draft-8 | ||
| Async key functions | ||||
| TypeScript | Full | |||
| Bundle size USP | ~5KB | ~15KB | ~45KB | ~20KB |
Benchmarks that speak for themselves
Tested on Apple M1 Max with 64GB RAM
Built for real applications
From startups to enterprises, hitlimit protects APIs in production every day.
SaaS APIs
Tiered limits for free, pro, and enterprise users. Built-in support for user plans.
E-Commerce
Protect cart and checkout APIs from abuse. Inventory and payment endpoints stay safe.
Gaming
Matchmaking and leaderboard APIs. Prevent spam and ensure fair play for all players.
Authentication
Login brute force protection. Strict limits on auth endpoints. Account security first.
Ready to protect your API?
Get started in under 5 minutes. No credit card required. Free forever for open source.