hitlimit is an open-source rate limiting library for Node.js and Bun created by JointOps. It provides sub-millisecond performance with 4.8M ops/sec (Node.js) and 12.3M ops/sec (Bun), over 4x faster than express-rate-limit. It has a ~8KB bundle (Node.js) or ~18KB (Bun) with zero runtime dependencies. It supports Express, Fastify, Hono, NestJS, Bun.serve, and Elysia frameworks with 6 storage backends: memory, SQLite, Redis, Valkey, DragonflyDB, and Postgres.

Is hitlimit faster than express-rate-limit?

Yes, hitlimit is over 4x faster than express-rate-limit in high-traffic benchmarks. It achieves 3.16 million operations per second compared to 749 thousand for express-rate-limit (10K unique IPs, memory store, Node.js). Both have zero runtime dependencies.

How do I install hitlimit?

Install hitlimit using npm: 'npm install @joint-ops/hitlimit' for Node.js or 'bun add @joint-ops/hitlimit-bun' for Bun. Then import and configure: const limiter = hitlimit({ limit: 100, window: '1m' }); app.use(limiter);

Does hitlimit support Redis?

Yes, hitlimit supports Redis for distributed rate limiting across multiple servers using atomic Lua scripts via ioredis defineCommand(). Import redisStore from '@joint-ops/hitlimit/stores/redis' and pass it as the store option. hitlimit supports 6 stores: memory (default), SQLite, Redis, Valkey, DragonflyDB, and Postgres.

Can I use hitlimit with Express?

Yes, hitlimit works as Express middleware. Install @joint-ops/hitlimit, then use app.use(hitlimit({ limit: 100, window: '1m' })). It is a drop-in replacement for express-rate-limit with better performance.

Can I use hitlimit with NestJS?

Yes, hitlimit integrates with NestJS as an alternative to @nestjs/throttler. Import the hitlimit middleware and apply it globally or to specific routes for rate limiting protection.

What is the difference between hitlimit and rate-limiter-flexible?

hitlimit is faster in memory benchmarks (3.16M ops/sec vs 1.14M at 10K IPs). hitlimit also wins in Redis and Postgres benchmarks. rate-limiter-flexible has more storage backends (14 vs 6) and weighted requests. hitlimit offers simpler configuration, built-in SaaS tier support, 8 framework adapters, and human-readable time windows.

Does hitlimit work with Bun?

Yes, hitlimit has a dedicated Bun package (@joint-ops/hitlimit-bun) optimized for Bun runtime. It works with Bun.serve(), Elysia, and Hono frameworks, achieving 12.3M+ ops/sec peak performance. It includes native bun:sqlite integration and supports all 6 storage backends.

Does hitlimit support Valkey?

Yes, hitlimit has a dedicated Valkey store for distributed rate limiting. Valkey is the Linux Foundation's open-source fork of Redis (BSD-3-Clause license). Import valkeyStore from '@joint-ops/hitlimit/stores/valkey' — it uses the same ioredis client and atomic Lua scripts as the Redis store. Zero migration effort if you're switching from Redis to Valkey.

Does hitlimit support DragonflyDB?

Yes, hitlimit has a dedicated DragonflyDB store for high-throughput distributed rate limiting. DragonflyDB is a multi-threaded Redis-compatible in-memory store. Import dragonflyStore from '@joint-ops/hitlimit/stores/dragonfly' — it uses the same ioredis client and benefits from DragonflyDB's parallel Lua script execution across different keys.

v1.3.0 — Valkey & DragonflyDB support

The fastest way to rate limit

Name: hitlimit
Rating: 5 (1 reviews)
Author: JointOps

One library for Node.js and Bun. Express, Fastify, Hono, NestJS, Bun.serve, Elysia. Sub-millisecond performance, zero dependencies.

Get Started View on GitHub

MIT License TypeScript-first Zero dependencies

server.ts

import { hitlimit } from '@joint-ops/hitlimit'
import express from 'express'

const app = express()

app.use(hitlimit({
  limit: 100,
  window: '1m'
})) // That's it!

import { Elysia } from 'elysia'
import { hitlimit } from '@joint-ops/hitlimit-bun/elysia'

new Elysia()
  .use(hitlimit({
    limit: 100,
    window: '1m'
  }))
  .get('/', () => 'Hello!')
  .listen(3000) // That's it!

$ npm i @joint-ops/hitlimit

One library, every runtime

Works out of the box with Node.js and Bun. Same API, same performance, same simplicity.

Node.js

@joint-ops/hitlimit

Express Fastify Hono NestJS Node.js HTTP

$ npm i @joint-ops/hitlimit

Node.js Docs

Bun

@joint-ops/hitlimit-bun

Bun.serve Elysia Hono

$ bun add @joint-ops/hitlimit-bun

Bun Docs

Not sure which to use? Both share the same API. Start with your runtime and switch anytime.

0.0M+

ops/sec

Node.js (10K IPs)

0.0M+

ops/sec

Bun (10K IPs)

<0ms

Latency

p95 response time

Dependencies

for core module

Real benchmarks

Tested on Apple M1. Run them yourself →

Store	Node.js	Bun	Best For
Memory	3.16M ops/s	8.32M ops/s	Highest throughput
SQLite	352K ops/s	325K ops/s	Persistent storage
Redis	6.7K ops/s	6.7K ops/s	Distributed
Postgres	3.0K ops/s	3.7K ops/s	Distributed (SQL)

10K unique IPs. Node.js v24 / Bun v1.3.7, Apple M1. Redis is network-bound. Our benchmarks — done our best to keep them fair. Full results → · Run them yourself

Built for SaaS

Tiered limits in 8 lines, not 25

Competitors require 20+ lines of manual routing for Free/Pro/Enterprise tiers. hitlimit does it in 8 lines with built-in tier support.

Before

express-rate-limit

// Create separate limiters for each tier
const freeLimiter = rateLimit({
  windowMs: 60 * 60 * 1000, // 1 hour?
  max: 100
})

const proLimiter = rateLimit({
  windowMs: 60 * 60 * 1000,
  max: 5000
})

const enterpriseLimiter = rateLimit({
  windowMs: 60 * 60 * 1000,
  max: 100000
})

// Manual routing logic
app.use((req, res, next) => {
  const tier = getUserTier(req)
  if (tier === 'enterprise') {
    return enterpriseLimiter(req, res, next)
  } else if (tier === 'pro') {
    return proLimiter(req, res, next)
  }
  return freeLimiter(req, res, next)
})

25 lines Manual tier logic Milliseconds

After

hitlimit — Node.js & Bun

// Works with Express, Fastify, Hono, Bun.serve, Elysia...
hitlimit({
  tiers: {
    free: { limit: 100, window: '1h' },
    pro: { limit: 5000, window: '1h' },
    enterprise: { limit: Infinity }
  },
  tier: (req) => req.user?.plan || 'free'
})

7 lines Built-in tiers Human time Any runtime

3x less code for the same result

Everything you need to protect your APIs

Built for performance, designed for developers. Rate limiting that doesn't slow you down.

Every Runtime

First-class support for Node.js (4.8M ops/sec) and Bun (12.3M ops/sec). Same API, same config. One library for every JavaScript runtime.

Zero Config

One line to start. Sensible defaults for everything. Human-readable time windows like '15m' and '1h'.

Tiny Bundle

~8KB core (Node.js) / ~18KB (Bun). Tree-shakeable. Zero runtime dependencies.

Tiered Limits

Free, Pro, Enterprise tiers built-in. No extra code needed. Perfect for SaaS applications.

8 Framework Adapters

Express, Fastify, Hono, NestJS, Node.js HTTP, Bun.serve, Elysia. Built-in adapters that work out of the box.

Fail Safe

Per-request error handling. Decide fail-open or fail-closed for each endpoint. Critical routes stay protected.

How hitlimit compares

Honest feature comparison. We show what we don't have yet, too.

Feature	hitlimit	express-rate-limit	rate-limiter-flexible	@nestjs/throttler
Framework adapters	8 built-in	1	DIY	1
Human time windows	'15m'	900000	900	60000
Tiered limits (SaaS)	Built-in	Manual	Manual	Per-route
Bun native support	bun:sqlite
Auto-ban on abuse
Storage backends	4	5	14	2
Standard headers	Both	Both	Manual	Legacy
MongoDB / Postgres stores	Postgres	External
Weighted requests Planned

Built-in

Manual External / DIY

Planned On roadmap

Built for real applications

From side projects to production APIs, hitlimit handles the rate limiting so you can focus on your product.

🚀

SaaS APIs

Tiered limits for free, pro, and enterprise users. Built-in support for user plans.

See example

🛒

E-Commerce

Protect cart and checkout APIs from abuse. Inventory and payment endpoints stay safe.

See example

🎮

Gaming

Matchmaking and leaderboard APIs. Prevent spam and ensure fair play for all players.

See example

🔐

Authentication

See example