Rate limiter in Go: per-IP token bucket with golang.org/x/time/rate

ClaudeGate exposes Claude Code CLI as a REST API. Every POST /api/v1/jobs request creates a job that spawns a CLI process — this isn't an HTTP handler that fires a SQL query. It's a child process, RAM, CPU, time. Without protection, an aggressive client can saturate the machine in seconds. The obvious solution: a per-IP rate limiter. The golang.org/x/time/rate package implements the token bucket algorithm, which is exactly what's needed here. Here's how the integration was done, the decisions made, and what was deliberately left out. Token bucket: the mechanics in two sentences A token bucket holds tokens. Each request consumes one token. Tokens replenish at a constant rate (the RPS). If the bucket is empty, the request is rejected. golang.org/x/time/rate exposes this cleanly via rate.NewLimiter(limit, burst) : import "golang.org/x/time/rate" // 5 requests/second, burst of 5 (no accumulation beyond that) limiter := rate . NewLimiter ( rate . Limit ( 5 ), 5 ) if limiter . Allow () { //