1 min read

What is rate limiting?

Picture of Kirsten Peremore Kirsten Peremore Sep 15, 2024 2:00:20 PM

Email API
Source code displayed on a computer monitor

Rate limiting controls the number of requests made from an API to promote fair access, and maintain peak performance.

 

Understanding rate limiting in APIs

Rate limiting is a technique that controls how many requests a user or application can make to an Application Programming Interface (API) within a specific timeframe. An API is a set of rules that allow software programs to communicate with each other. A rate limit thus limits the number of requests allowed per second, minute, or hour to prevent a single user from overwhelming the system. The action contributes to availability and performance, preventing lags in the system. 

 

How it works

  • The limits are set by defining how many requests a user can make in a period.
  • The number of requests made is then tracked and compared to the defined limits. 
  • Requests within the limits are permitted while those outside the limit are denied. 
  • Information is sent back to the user about their rate limit status, including how many requests they have left and when the limit will reset. 
  • The limit resets after some time so that users can make new requests.

 

Why is it important

According to a study from the Software Institute in Switzerland, “API Rate Limiting plays a critical role in ensuring the security of an API system. It helps to protect against various types of attacks, including denial-of-service (DoS) attacks…”

Rate limiting primarily manages resource usage and service quality. It also serves as a method of preventing attacks like denial of service (DoS) attacks where attackers flood the system with requests to disrupt its operation. In setting a maximum number of requests, the rate limit ensures that no single client can overwhelm the API with excessive requests. In the event of a DoS attack, the rate limit mechanism will identify and block these excessive requests and mitigate API crashing. 

Related: HIPAA Compliant Email: The Definitive Guide

 

FAQs

What is a cyberattack?

An attempt by hackers to damage, disrupt, or gain unauthorized access to a computer system or network. 

 

What is an API? 

A set of rules that allows different software applications to communicate with each other. 

 

Why are denial of service attacks commonly used?

It is commonly used to overwhelm the normal functions of a website or service. 

Download the HIPAA compliant email checklist

Download the HIPAA compliant email checklist
mandrill logo

Can I use Mandrill and be HIPAA compliant? (2025 update)

Gugu Ntsele : May 31, 2025 6:26:11 AM

Based on our research, Mandrill is not HIPAA compliant because it does not meet the requirements set by the U.S. Department of Health and Human...

HIPAA compliance Email API
Read More
Image of a shield with a keyhole in it.

Premier Health data breach exposes sensitive patient and employee information

Picture of Farah Amod Farah Amod : Aug 4, 2025 10:56:47 AM

A cyberattack on Premier Health Partners compromised a wide range of personal and medical data over a five-week period in 2023.

Healthcare cybersecurity news
Read More
Image of two people working next to each other, one writing and the other on a computer.

Roles that may overlook HIPAA compliance

Picture of Tshedimoso Makhene Tshedimoso Makhene : Mar 17, 2025 2:23:30 PM

Several roles in healthcare and adjacent industries may inadvertently overlook HIPAA compliance due to a lack of awareness, training, or...

HIPAA compliance
Read More