Real-World Examples

Production-ready rate limiting patterns for common use cases. Each example includes complete, copy-paste ready code with explanations of why limits are set as they are.

Quick Start Examples

For simple use cases, here are one-liner setups:

Express - One Liner
import { hitlimit } from '@joint-ops/hitlimit'

app.use(hitlimit()) // 100 requests per minute per IP
NestJS - One Liner
@Module({
  imports: [HitLimitModule.register({ limit: 100, window: '1m' })]
})
export class AppModule {}
Bun - One Liner
Bun.serve({
  fetch: hitlimit({}, (req) => new Response('Hello!'))
})

Industry Examples

SaaS API

Tiered limits by subscription plan (free/pro/enterprise)

Express NestJS Redis

Authentication

Login protection, 2FA, brute force prevention

Security Redis

E-Commerce

Cart abuse prevention, checkout protection

Express Redis

Social Platform

Posts, comments, follows, and DM limits

Tiered Redis

Gaming Backend

Matchmaking, leaderboards, chat (Bun)

Bun High Performance

Cinema Booking

Seat selection, ticket scalping prevention

Session Redis

Common Patterns

Tiered Rate Limits

hitlimit({
  tiers: {
    free: { limit: 100, window: '1h' },
    pro: { limit: 5000, window: '1h' },
    enterprise: { limit: Infinity }
  },
  tier: (req) => req.user?.plan || 'free'
})

Rate Limit by Workspace (Not User)

hitlimit({
  key: (req) => {
    // All users in same workspace share limits
    return `workspace:${req.user?.workspaceId}`
  }
})

Fail Open vs Fail Closed

hitlimit({
  onStoreError: (error, req) => {
    // Critical endpoints should fail closed (deny)
    if (req.path.includes('/billing')) return 'deny'

    // Non-critical endpoints can fail open (allow)
    return 'allow'
  }
})

Skip Internal Services

hitlimit({
  skip: (req) => {
    // Skip health checks
    if (req.path === '/health') return true

    // Skip internal service calls
    if (req.headers['x-internal-service'] === process.env.SECRET) {
      return true
    }

    return false
  }
})