Rate Limiting
Throttle API requests per user or IP to prevent abuse. Laravel's throttle middleware uses Redis or the cache for counting.
PHP
Intermediate
3 min read
API Rate Limiting
Example
// routes/api.php
Route::middleware(["auth:sanctum", "throttle:60,1"])->group(function () {
Route::apiResource("posts", PostController::class);
});
// Custom limiter (app/Providers/RouteServiceProvider.php)
RateLimiter::for("api", function ($request) {
return $request->user()
? Limit::perMinute(120)->by($request->user()->id)
: Limit::perMinute(20)->by($request->ip());
}); Pro Tip
Return Retry-After and X-RateLimit-Remaining headers so clients know when they can retry.