Advanced API Rate Limiting: Sliding Windows Token Buckets and Distributed Counters

Since I cannot write files, I will output the article directly. Here is the complete, publication-ready dev.to article: Every production API hits the same inflection point: traffic grows, abuse appears, and suddenly you need to answer the question "how many requests should I allow, and for whom?" Rate limiting sounds simple until you run multiple servers, need sub-second accuracy, and have endpoints with wildly different costs. This is the third installment in the Production Backend Patterns series. We will walk through four major rate limiting algorithms, implement each in TypeScript with Redis, and then tackle the hard parts: distributed coordination, burst handling, cost-based limits, and the headers your clients actually need. The Four Algorithms, Visualized Before writing any code, let's build intuition for how each algorithm behaves. Imagine a limit of 10 requests per minute. Fixed Window Minute 1 Minute 2 Minute 3 [|||||||| ] [||||||||||] [||| ] 8 allowed 10 (full) 3 so far ^ bo