Building modern web applications is more than just creating features. A big part of backend development is managing how users and systems interact with your server. One important technique for this is rate limiting. It helps you control how often someone can access your APIs or services, which keeps your app fast, safe, and reliable.
In this blog, we will talk about advanced rate limiting using the Token Bucket algorithm. We will explain how it works, why it is useful, and how to use it in NestJS. NestJS is a powerful Node.js framework that is popular for building backend systems.
If you’re planning to learn backend development in depth, knowing how to handle rate limiting is very useful. It’s something that is often taught in a good full stack developer course in Bangalore where real-world backend challenges are explained.
What is Rate Limiting?
Rate limiting is a technique to control the number of requests a user or system can make to your backend in a certain period of time. For example, you may want to allow each user to make only 10 login attempts per hour. This helps prevent abuse and protects your system.
There are many ways to do rate limiting. Some common methods are:
- Fixed window
- Sliding window
- Leaky bucket
- Token bucket
Each method has its own strengths, but the Token Bucket algorithm is one of the most flexible and effective methods. That’s why we are focusing on it in this blog.
How the Token Bucket Algorithm Works
The Token Bucket algorithm is simple to understand.
- Think it like a bucket that fills up with tokens at a regular rate. For example, 1 token every second.
- When a user makes a request, they need to take 1 token from the bucket.
- If there are tokens in the bucket, the request is allowed.
- If there are no tokens, the request is blocked or delayed.
This method allows short bursts of requests, as long as the bucket has tokens. But over time, it limits the number of requests to the refill rate.
This is better than strict methods like the fixed window because it is more flexible. It allows small bursts but still controls the average request rate over time.
Why Use Token Buckets in NestJS?
NestJS is a TypeScript-based framework for building scalable server-side applications. It is built on top of Node.js and uses Express or Fastify under the hood. It’s a great tool for backend development, especially in large projects.
NestJS supports middleware, interceptors, and guards. These features make it simple and easy to add custom logic like rate limiting.
Using Token Bucket rate limiting in NestJS gives you:
- Better control over user traffic
- Protection from abuse or attacks
- The ability to customize limits for different routes
- Scalability for large applications
You can also connect your rate limiter with Redis, so that your system works across multiple servers.
Understanding and building these types of backend systems is a key skill you can learn through a structured full stack developer course. These courses teach both front-end and back-end skills, and often include real projects that use frameworks like NestJS.
How to Implement Token Bucket Rate Limiting in NestJS
Let’s go step by step and see how to implement this in a NestJS project.
Step 1: Create Middleware
NestJS allows us to use middleware to intercept requests. We’ll create middleware that checks the user’s IP and applies the token bucket rule.
nest g middleware rate-limiter
Step 2: Add Token Bucket Logic
Create a simple in-memory storage to track tokens for each user. Here’s a basic version of the middleware:
import { Injectable, NestMiddleware } from ‘@nestjs/common’;
import { Request, Response, NextFunction } from ‘express’;
interface TokenBucket {
tokens: number;
lastRefill: number;
}
const buckets = new Map<string, TokenBucket>();
const MAX_TOKENS = 10;
const REFILL_RATE = 1;
@Injectable()
export class RateLimiterMiddleware implements NestMiddleware {
use(req: Request, res: Response, next: NextFunction) {
const ip = req.ip;
const now = Date.now();
let bucket = buckets.get(ip);
if (!bucket) {
bucket = { tokens: MAX_TOKENS, lastRefill: now };
buckets.set(ip, bucket);
}
const timePassed = (now – bucket.lastRefill) / 1000;
const tokensToAdd = Math.floor(timePassed * REFILL_RATE);
bucket.tokens = Math.min(MAX_TOKENS, bucket.tokens + tokensToAdd);
bucket.lastRefill = now;
if (bucket.tokens > 0) {
bucket.tokens–;
next();
} else {
res.status(429).send(‘Too Many Requests’);
}
}
}
Step 3: Apply Middleware to Routes
Open your app.module.ts and apply the middleware:
import { MiddlewareConsumer, Module, NestModule } from ‘@nestjs/common’;
import { RateLimiterMiddleware } from ‘./rate-limiter.middleware’;
@Module({})
export class AppModule implements NestModule {
configure(consumer: MiddlewareConsumer) {
consumer.apply(RateLimiterMiddleware).forRoutes(‘*’);
}
}
Now every route is protected with token bucket rate limiting.
Using Redis for Shared Storage
In a real application with multiple servers, in-memory storage won’t work well. You’ll need a shared store like Redis.
Here’s how to use Redis:
- Install Redis client:
npm install ioredis - Update your middleware to use Redis instead of in-memory Map.
This way, your rate limiting will work across different server instances, which is very important in cloud-based applications.
This kind of advanced implementation is usually included in a practical full stack developer course in Bangalore, where students learn to work with scalable services and distributed systems.
When Should You Use Token Bucket Rate Limiting?
You can use token bucket rate limiting in many real situations:
- To limit login attempts
- To control the number of API calls
- To restrict access to certain services
- To avoid overloading your server
It’s useful when you want to allow a few quick requests but still control long-term usage.
You can also apply different limits to different users. For example, free users get 100 requests per day, and paid users get 1000.
Best Practices
Here are some tips when using token bucket rate limiting:
- Use Redis for scalable applications
- Log rate limit violations for analysis
- Customize messages for blocked users
- Combine with other tools like CAPTCHA
- Monitor traffic regularly
This is not just theory. Real companies use these techniques to manage traffic and protect their services. These skills are very helpful when you are building serious backend systems.
If you want to learn how to apply such backend concepts from scratch and also build front-end parts, joining a detailed full stack developer course is a great idea. You’ll learn how the front and back of a system work together, and how to solve real business problems.
Conclusion
Rate limiting is a simple but powerful way to protect your server and manage user behavior. The token bucket algorithm is flexible and effective, especially in real-world applications that need to handle bursts of traffic.
NestJS makes it easy to implement this kind of logic using middleware and supports advanced setups using Redis. Whether you’re building a login system, API gateway, or microservices, token bucket rate limiting is a tool you should have in your toolkit.
These backend techniques are more than just interesting ideas—they are real-world tools that developers use every day. That’s why it’s important to understand them if you’re planning to grow your skills. Many training programs, like a developer course, include hands-on backend lessons that go beyond just writing code—they teach you how to build scalable, secure systems.
Learning to use NestJS, rate limiting, and scalable tools like Redis can make you a better developer, ready to face the challenges of modern web development. So keep learning, keep building, and don’t forget to test your systems under real conditions.
Business Name: ExcelR – Full Stack Developer And Business Analyst Course in Bangalore
Address: 10, 3rd floor, Safeway Plaza, 27th Main Rd, Old Madiwala, Jay Bheema Nagar, 1st Stage, BTM 1st Stage, Bengaluru, Karnataka 560068
Phone: 7353006061
Business Email: enquiry@excelr.com
