Redis on Man-Youhttps://man-you.ringum.net/tags/redis/Recent content in Redis on Man-YouHugo -- gohugo.ioen-usTue, 10 Feb 2026 09:49:00 +0200Rate limiting with a single Lua scripthttps://man-you.ringum.net/posts/application-kit-ratelimit/Tue, 10 Feb 2026 09:49:00 +0200https://man-you.ringum.net/posts/application-kit-ratelimit/<p>We needed rate limiting across all our services: FastAPI, Django, you name it. The usual approach is to grab a library, wire it up per-framework, and accept the slight differences in behavior between them. We went a different way: one Lua script that runs atomically in Redis, with everything else being thin wrappers around it.</p> <p>This is how the rate limiting system in <a href="https://github.com/Woosmap/application_kit">application-kit</a> works, including per-project overrides, element-based counting, and a monitor mode for gradual rollouts.</p> <h2 id="the-problem-with-two-rate-limiters">The problem with two rate limiters</h2> <p>Early on, we had two Lua scripts: one for basic path-based rate limiting and another for per-project limits with override support. They did almost the same thing but diverged just enough to be annoying. Bug fixes had to land in two places. Behavior wasn&rsquo;t always consistent. The classic duplication trap.</p> <p>The fix was to collapse both into a single script (<code>PROJECT_RATE_LIMITER_LUA</code>) with optional parameters that fall back to sensible defaults. No override key? It behaves like a simple limiter. Pass one? It checks per-project overrides atomically.</p> <h2 id="one-lua-script-to-rule-them-all">One Lua script to rule them all</h2> <p>The core idea: every rate limit check is a single atomic Redis operation. No round-trips, no race conditions between reading the count and incrementing it.</p> <figure class="code-block-figure"> <figcaption>The unified Lua script (simplified)</figcaption> <div class="highlight" title="The unified Lua script (simplified)"><pre tabindex="0" class="chroma"><code class="language-lua" data-lang="lua"><span class="line"><span class="cl"><span class="kd">local</span> <span class="n">rate_limit_key</span> <span class="o">=</span> <span class="n">KEYS</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="kd">local</span> <span class="n">override_key</span> <span class="o">=</span> <span class="n">KEYS</span><span class="p">[</span><span class="mi">2</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="kd">local</span> <span class="n">default_max_requests</span> <span class="o">=</span> <span class="n">tonumber</span><span class="p">(</span><span class="n">ARGV</span><span class="p">[</span><span class="mi">1</span><span class="p">])</span> </span></span><span class="line"><span class="cl"><span class="kd">local</span> <span class="n">default_expiry</span> <span class="o">=</span> <span class="n">tonumber</span><span class="p">(</span><span class="n">ARGV</span><span class="p">[</span><span class="mi">2</span><span class="p">])</span> </span></span><span class="line"><span class="cl"><span class="kd">local</span> <span class="n">increment_amount</span> <span class="o">=</span> <span class="n">tonumber</span><span class="p">(</span><span class="n">ARGV</span><span class="p">[</span><span class="mi">3</span><span class="p">])</span> <span class="ow">or</span> <span class="mi">1</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">-- Check for per-project override</span> </span></span><span class="line"><span class="cl"><span class="kd">local</span> <span class="n">max_requests</span> <span class="o">=</span> <span class="n">default_max_requests</span> </span></span><span class="line"><span class="cl"><span class="kd">local</span> <span class="n">expiry</span> <span class="o">=</span> <span class="n">default_expiry</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="kr">if</span> <span class="n">override_key</span> <span class="o">~=</span> <span class="s2">&#34;&#34;</span> <span class="kr">then</span> </span></span><span class="line"><span class="cl"> <span class="kd">local</span> <span class="n">override</span> <span class="o">=</span> <span class="n">redis.call</span><span class="p">(</span><span class="s1">&#39;HGETALL&#39;</span><span class="p">,</span> <span class="n">override_key</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="kr">if</span> <span class="o">#</span><span class="n">override</span> <span class="o">&gt;</span> <span class="mi">0</span> <span class="kr">then</span> </span></span><span class="line"><span class="cl"> <span class="c1">-- Parse hash fields into max_requests and expiry</span> </span></span><span class="line"><span class="cl"> <span class="kr">for</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">1</span><span class="p">,</span> <span class="o">#</span><span class="n">override</span><span class="p">,</span> <span class="mi">2</span> <span class="kr">do</span> </span></span><span class="line"><span class="cl"> <span class="kr">if</span> <span class="n">override</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">==</span> <span class="s2">&#34;max_requests&#34;</span> <span class="kr">then</span> </span></span><span class="line"><span class="cl"> <span class="n">max_requests</span> <span class="o">=</span> <span class="n">tonumber</span><span class="p">(</span><span class="n">override</span><span class="p">[</span><span class="n">i</span> <span class="o">+</span> <span class="mi">1</span><span class="p">])</span> </span></span><span class="line"><span class="cl"> <span class="kr">elseif</span> <span class="n">override</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">==</span> <span class="s2">&#34;expiry&#34;</span> <span class="kr">then</span> </span></span><span class="line"><span class="cl"> <span class="n">expiry</span> <span class="o">=</span> <span class="n">tonumber</span><span class="p">(</span><span class="n">override</span><span class="p">[</span><span class="n">i</span> <span class="o">+</span> <span class="mi">1</span><span class="p">])</span> </span></span><span class="line"><span class="cl"> <span class="kr">end</span> </span></span><span class="line"><span class="cl"> <span class="kr">end</span> </span></span><span class="line"><span class="cl"> <span class="kr">end</span> </span></span><span class="line"><span class="cl"><span class="kr">end</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">-- Get current count</span> </span></span><span class="line"><span class="cl"><span class="kd">local</span> <span class="n">count</span> <span class="o">=</span> <span class="n">tonumber</span><span class="p">(</span><span class="n">redis.call</span><span class="p">(</span><span class="s1">&#39;GET&#39;</span><span class="p">,</span> <span class="n">rate_limit_key</span><span class="p">))</span> <span class="ow">or</span> <span class="o">-</span><span class="mi">1</span> </span></span><span class="line"><span class="cl"><span class="kd">local</span> <span class="n">is_over_limit</span> <span class="o">=</span> <span class="mi">0</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="kr">if</span> <span class="n">count</span> <span class="o">==</span> <span class="o">-</span><span class="mi">1</span> <span class="kr">then</span> </span></span><span class="line"><span class="cl"> <span class="c1">-- First request in this window</span> </span></span><span class="line"><span class="cl"> <span class="n">redis.call</span><span class="p">(</span><span class="s1">&#39;SET&#39;</span><span class="p">,</span> <span class="n">rate_limit_key</span><span class="p">,</span> <span class="n">increment_amount</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">redis.call</span><span class="p">(</span><span class="s1">&#39;EXPIRE&#39;</span><span class="p">,</span> <span class="n">rate_limit_key</span><span class="p">,</span> <span class="n">expiry</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">count</span> <span class="o">=</span> <span class="n">increment_amount</span> </span></span><span class="line"><span class="cl"> <span class="kr">if</span> <span class="n">count</span> <span class="o">&gt;</span> <span class="n">max_requests</span> <span class="kr">then</span> </span></span><span class="line"><span class="cl"> <span class="n">is_over_limit</span> <span class="o">=</span> <span class="mi">1</span> </span></span><span class="line"><span class="cl"> <span class="kr">end</span> </span></span><span class="line"><span class="cl"><span class="kr">elseif</span> <span class="n">count</span> <span class="o">+</span> <span class="n">increment_amount</span> <span class="o">&gt;</span> <span class="n">max_requests</span> <span class="kr">then</span> </span></span><span class="line"><span class="cl"> <span class="n">is_over_limit</span> <span class="o">=</span> <span class="mi">1</span> </span></span><span class="line"><span class="cl"><span class="kr">else</span> </span></span><span class="line"><span class="cl"> <span class="n">count</span> <span class="o">=</span> <span class="n">redis.call</span><span class="p">(</span><span class="s1">&#39;INCRBY&#39;</span><span class="p">,</span> <span class="n">rate_limit_key</span><span class="p">,</span> <span class="n">increment_amount</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="kr">end</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="kd">local</span> <span class="n">ttl</span> <span class="o">=</span> <span class="n">redis.call</span><span class="p">(</span><span class="s1">&#39;TTL&#39;</span><span class="p">,</span> <span class="n">rate_limit_key</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="kr">return</span> <span class="p">{</span><span class="n">is_over_limit</span><span class="p">,</span> <span class="n">count</span><span class="p">,</span> <span class="n">ttl</span><span class="p">,</span> <span class="n">max_requests</span><span class="p">}</span></span></span></code></pre></div> </figure> <p>The script takes two keys and three arguments:</p> <ul> <li><strong>KEYS[1]</strong>: the counter key (e.g. <code>ratelimit:/api/search:1:42</code>)</li> <li><strong>KEYS[2]</strong>: the override key (empty string means &ldquo;no overrides&rdquo;)</li> <li><strong>ARGV[1..3]</strong>: default max requests, expiry in seconds, and increment amount</li> </ul> <p>Everything after that is Redis doing its thing. One <code>EVALSHA</code>, one atomic operation, four values back.</p> <h2 id="redis-key-layout">Redis key layout</h2> <p>The key format puts the endpoint first and IDs at the end:</p> <figure class="code-block-figure"> <pre tabindex="0"><code>Counter: ratelimit:{endpoint}:{org_id}:{project_id} Override: ratelimit_override:{endpoint}:{org_id}:{project_id}</code></pre> </figure> <p>This ordering matters. Endpoint names can contain colons (like <code>api:v1:search</code>), so we parse keys from the right: the last two segments are always <code>org_id:project_id</code>. The <code>parse_override_key()</code> function handles this reliably, stripping the known prefix and extracting integers from the tail.</p> <p>Counters auto-expire via Redis TTL. When the window ends, the key vanishes and the next request starts fresh.</p> <h2 id="per-project-overrides">Per-project overrides</h2> <p>The override system uses Redis hashes. An override key like <code>ratelimit_override:/api/search:1:42</code> stores:</p> <figure class="code-block-figure"> <pre tabindex="0"><code>max_requests = &#34;500&#34; expiry = &#34;120&#34;</code></pre> </figure> <p>Because the Lua script checks for overrides <em>inside</em> the same atomic call, there&rsquo;s no window where a request could slip through with stale limits. If an override exists, it replaces the defaults. If it doesn&rsquo;t, the defaults apply. Zero ambiguity.</p> <p>Overrides have their own optional TTL (independent of the rate limit window), so you can set a temporary elevated limit that auto-expires:</p> <figure class="code-block-figure"> <figcaption>Setting a temporary override</figcaption> <div class="highlight" title="Setting a temporary override"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="k">await</span> <span class="n">set_rate_limit_override</span><span class="p">(</span> </span></span><span class="line"><span class="cl"> <span class="n">redis</span><span class="p">,</span> <span class="n">org_id</span><span class="o">=</span><span class="mi">1</span><span class="p">,</span> <span class="n">project_id</span><span class="o">=</span><span class="mi">42</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">endpoint</span><span class="o">=</span><span class="s2">&#34;/api/search&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">max_requests</span><span class="o">=</span><span class="mi">500</span><span class="p">,</span> <span class="n">expiry</span><span class="o">=</span><span class="mi">120</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">override_ttl</span><span class="o">=</span><span class="mi">86400</span> <span class="c1"># Override expires in 24h, limit window is still 120s</span> </span></span><span class="line"><span class="cl"><span class="p">)</span></span></span></code></pre></div> </figure> <p>Management functions (<code>set</code>, <code>get</code>, <code>delete</code>, <code>list</code>, <code>clear</code>) are provided but designed for admin/provisioning services. Not every consumer needs them.</p> <h2 id="element-based-counting">Element-based counting</h2> <p>Not all requests are equal. A distance matrix call with 10 origins and 5 destinations should count as 50 elements, not 1 request.</p> <p>The <code>increment_amount</code> parameter in the Lua script makes this trivial. Instead of <code>INCR</code>, we use <code>INCRBY</code>:</p> <figure class="code-block-figure"> <figcaption>Element-based rate limiting</figcaption> <div class="highlight" title="Element-based rate limiting"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="c1"># Request: 10 origins x 5 destinations = 50 elements</span> </span></span><span class="line"><span class="cl"><span class="n">rows</span><span class="p">,</span> <span class="n">cols</span> <span class="o">=</span> <span class="nb">len</span><span class="p">(</span><span class="n">request</span><span class="o">.</span><span class="n">origins</span><span class="p">),</span> <span class="nb">len</span><span class="p">(</span><span class="n">request</span><span class="o">.</span><span class="n">destinations</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">await</span> <span class="n">apply_element_rate_limit</span><span class="p">(</span> </span></span><span class="line"><span class="cl"> <span class="n">request</span><span class="p">,</span> <span class="n">response</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">max_requests</span><span class="o">=</span><span class="mi">1000</span><span class="p">,</span> <span class="c1"># 1000 elements per minute</span> </span></span><span class="line"><span class="cl"> <span class="n">expiry</span><span class="o">=</span><span class="mi">60</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">increment_amount</span><span class="o">=</span><span class="n">rows</span> <span class="o">*</span> <span class="n">cols</span><span class="p">,</span> <span class="c1"># This request costs 50</span> </span></span><span class="line"><span class="cl"> <span class="n">redis_client</span><span class="o">=</span><span class="n">redis</span><span class="p">,</span> </span></span><span class="line"><span class="cl"><span class="p">)</span></span></span></code></pre></div> </figure> <p>Element counters use a <code>key_suffix</code> (default: <code>/elements</code>) to maintain separate counters from regular request counting. Same endpoint, two independent limits:</p> <figure class="code-block-figure"> <pre tabindex="0"><code>ratelimit:/api/matrix:1:42 → request counter ratelimit:/api/matrix:/elements:1:42 → element counter</code></pre> </figure> <h2 id="monitor-mode">Monitor mode</h2> <p>Rolling out rate limits on existing APIs is nerve-wracking. You want to know <em>who would be affected</em> before actually blocking anyone.</p> <p>Monitor mode (<code>RATE_LIMIT_MODE=monitor</code>) runs the full rate limit logic (counting, checking, setting headers) but never returns a 429. Instead, it tags the Datadog root span:</p> <figure class="code-block-figure"> <figcaption>Monitor mode behavior</figcaption> <div class="highlight" title="Monitor mode behavior"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="k">if</span> <span class="n">result</span><span class="o">.</span><span class="n">is_over_limit</span> <span class="ow">and</span> <span class="n">mode</span> <span class="o">==</span> <span class="n">RateLimitMode</span><span class="o">.</span><span class="n">monitor</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">span</span> <span class="o">=</span> <span class="n">tracer</span><span class="o">.</span><span class="n">current_root_span</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">span</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">span</span><span class="o">.</span><span class="n">set_tag</span><span class="p">(</span><span class="s2">&#34;ratelimit.over_limit&#34;</span><span class="p">,</span> <span class="n">endpoint_path</span><span class="p">)</span></span></span></code></pre></div> </figure> <p>Clients still see <code>RateLimit-Remaining: 0</code> in response headers, so they <em>can</em> self-throttle if they&rsquo;re polite. But the server won&rsquo;t enforce it.</p> <p>Three modes, set via the Bender manifest:</p> <table> <thead> <tr> <th>Mode</th> <th>Counts</th> <th>Headers</th> <th>Blocks</th> <th>Datadog tag</th> </tr> </thead> <tbody> <tr> <td><code>on</code></td> <td>Yes</td> <td>Yes</td> <td>Yes (429)</td> <td>No</td> </tr> <tr> <td><code>off</code></td> <td>No</td> <td>No</td> <td>No</td> <td>No</td> </tr> <tr> <td><code>monitor</code></td> <td>Yes</td> <td>Yes</td> <td>No</td> <td>Yes</td> </tr> </tbody> </table> <p>The setting is read dynamically on every request. No restart needed to switch modes.</p> <h2 id="framework-wrappers">Framework wrappers</h2> <h3 id="fastapi-three-entry-points">FastAPI: three entry points</h3> <p>FastAPI gets the most complete support with three ways to rate limit:</p> <p><strong>1. ProjectRateLimiter</strong>: the recommended default. Uses dependency injection, extracts project identity from the authenticated request, supports overrides and monitor mode:</p> <figure class="code-block-figure"> <figcaption>FastAPI ProjectRateLimiter</figcaption> <div class="highlight" title="FastAPI ProjectRateLimiter"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="nd">@router.get</span><span class="p">(</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;/search&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">dependencies</span><span class="o">=</span><span class="p">[</span><span class="n">Depends</span><span class="p">(</span><span class="n">ProjectRateLimiter</span><span class="p">(</span><span class="n">max_requests</span><span class="o">=</span><span class="mi">100</span><span class="p">,</span> <span class="n">expiry</span><span class="o">=</span><span class="mi">60</span><span class="p">))],</span> </span></span><span class="line"><span class="cl"><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="k">async</span> <span class="k">def</span> <span class="nf">search</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="o">...</span></span></span></code></pre></div> </figure> <p>It follows the template method pattern: <code>make_key()</code> and <code>make_override_key()</code> can be overridden without touching the rate limit logic itself:</p> <figure class="code-block-figure"> <figcaption>Custom rate limiter via subclassing</figcaption> <div class="highlight" title="Custom rate limiter via subclassing"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="k">class</span> <span class="nc">GeoRateLimiter</span><span class="p">(</span><span class="n">ProjectRateLimiter</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="k">def</span> <span class="nf">make_key</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">request</span><span class="p">:</span> <span class="n">Request</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span> <span class="o">|</span> <span class="kc">None</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">region</span> <span class="o">=</span> <span class="n">request</span><span class="o">.</span><span class="n">headers</span><span class="o">.</span><span class="n">get</span><span class="p">(</span><span class="s2">&#34;X-Region&#34;</span><span class="p">,</span> <span class="s2">&#34;default&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">base</span> <span class="o">=</span> <span class="nb">super</span><span class="p">()</span><span class="o">.</span><span class="n">make_key</span><span class="p">(</span><span class="n">request</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="sa">f</span><span class="s2">&#34;</span><span class="si">{</span><span class="n">base</span><span class="si">}</span><span class="s2">:</span><span class="si">{</span><span class="n">region</span><span class="si">}</span><span class="s2">&#34;</span> <span class="k">if</span> <span class="n">base</span> <span class="k">else</span> <span class="kc">None</span></span></span></code></pre></div> </figure> <p><strong>2. PathRateLimiter</strong>: simpler, no project isolation. Useful for public or webhook endpoints where there&rsquo;s no authenticated project:</p> <figure class="code-block-figure"> <figcaption>FastAPI PathRateLimiter</figcaption> <div class="highlight" title="FastAPI PathRateLimiter"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="nd">@router.post</span><span class="p">(</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;/webhook&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">dependencies</span><span class="o">=</span><span class="p">[</span><span class="n">Depends</span><span class="p">(</span><span class="n">PathRateLimiter</span><span class="p">(</span><span class="n">max_requests</span><span class="o">=</span><span class="mi">10</span><span class="p">,</span> <span class="n">expiry</span><span class="o">=</span><span class="mi">60</span><span class="p">))],</span> </span></span><span class="line"><span class="cl"><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="k">async</span> <span class="k">def</span> <span class="nf">webhook</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="o">...</span></span></span></code></pre></div> </figure> <p><strong>3. Programmatic API</strong>: <code>apply_rate_limit()</code> and <code>apply_element_rate_limit()</code> for when limits depend on request content:</p> <figure class="code-block-figure"> <figcaption>Runtime-determined limits</figcaption> <div class="highlight" title="Runtime-determined limits"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="k">async</span> <span class="k">def</span> <span class="nf">process_batch</span><span class="p">(</span><span class="n">request</span><span class="p">:</span> <span class="n">Request</span><span class="p">,</span> <span class="n">response</span><span class="p">:</span> <span class="n">Response</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">batch_size</span> <span class="o">=</span> <span class="nb">len</span><span class="p">(</span><span class="n">request</span><span class="o">.</span><span class="n">json</span><span class="p">()[</span><span class="s2">&#34;items&#34;</span><span class="p">])</span> </span></span><span class="line"><span class="cl"> <span class="k">await</span> <span class="n">apply_element_rate_limit</span><span class="p">(</span> </span></span><span class="line"><span class="cl"> <span class="n">request</span><span class="p">,</span> <span class="n">response</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">max_requests</span><span class="o">=</span><span class="mi">500</span><span class="p">,</span> <span class="n">expiry</span><span class="o">=</span><span class="mi">60</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">increment_amount</span><span class="o">=</span><span class="n">batch_size</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">redis_client</span><span class="o">=</span><span class="n">redis</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="p">)</span></span></span></code></pre></div> </figure> <h3 id="django-decorator-based">Django: decorator-based</h3> <p>Django uses a <code>@rate_limit</code> decorator that auto-detects sync vs. async views:</p> <figure class="code-block-figure"> <figcaption>Django rate limiting</figcaption> <div class="highlight" title="Django rate limiting"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="nd">@authenticate_key</span><span class="p">()</span> </span></span><span class="line"><span class="cl"><span class="nd">@rate_limit</span><span class="p">(</span><span class="n">max_requests</span><span class="o">=</span><span class="mi">100</span><span class="p">,</span> <span class="n">expiry</span><span class="o">=</span><span class="mi">60</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">my_view</span><span class="p">(</span><span class="n">request</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">JsonResponse</span><span class="p">({</span><span class="s2">&#34;status&#34;</span><span class="p">:</span> <span class="s2">&#34;ok&#34;</span><span class="p">})</span></span></span></code></pre></div> </figure> <p>The endpoint name is auto-detected from the URL pattern (e.g. <code>/api/v1/datasets/&lt;int:dataset_id&gt;/search</code>). Django middleware catches <code>RateLimitExceeded</code> exceptions and returns a 429 with the proper rate limit headers.</p> <p>Both frameworks share the same Lua script, the same key generation functions, and the same result handling logic. The wrappers are genuinely thin.</p> <h2 id="the-result-object">The result object</h2> <p>Every rate limit check produces a <code>RateLimitResult</code>:</p> <figure class="code-block-figure"> <figcaption>RateLimitResult</figcaption> <div class="highlight" title="RateLimitResult"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="nd">@dataclass</span><span class="p">(</span><span class="n">frozen</span><span class="o">=</span><span class="kc">True</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="k">class</span> <span class="nc">RateLimitResult</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">is_over_limit</span><span class="p">:</span> <span class="nb">bool</span> </span></span><span class="line"><span class="cl"> <span class="n">request_count</span><span class="p">:</span> <span class="nb">int</span> </span></span><span class="line"><span class="cl"> <span class="n">ttl</span><span class="p">:</span> <span class="nb">int</span> </span></span><span class="line"><span class="cl"> <span class="n">max_requests</span><span class="p">:</span> <span class="nb">int</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nd">@property</span> </span></span><span class="line"><span class="cl"> <span class="k">def</span> <span class="nf">remaining</span><span class="p">(</span><span class="bp">self</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">int</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="nb">max</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="bp">self</span><span class="o">.</span><span class="n">max_requests</span> <span class="o">-</span> <span class="bp">self</span><span class="o">.</span><span class="n">request_count</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">def</span> <span class="nf">to_headers</span><span class="p">(</span><span class="bp">self</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">dict</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="nb">str</span><span class="p">]:</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;RateLimit-Limit&#34;</span><span class="p">:</span> <span class="nb">str</span><span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">max_requests</span><span class="p">),</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;RateLimit-Remaining&#34;</span><span class="p">:</span> <span class="nb">str</span><span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">remaining</span><span class="p">),</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;RateLimit-Reset&#34;</span><span class="p">:</span> <span class="nb">str</span><span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">ttl</span><span class="p">),</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span></span></span></code></pre></div> </figure> <p>Frozen dataclass, immutable, with a convenience method for standard rate limit headers. Every response (except when mode is <code>off</code>) gets these three headers so clients can implement their own backoff.</p> <h2 id="what-made-this-work">What made this work</h2> <p>A few design decisions that paid off:</p> <p><strong>Atomic override resolution.</strong> The Lua script checks overrides <em>inside</em> the same call that does the counting. No separate Redis roundtrip means no race condition between &ldquo;check the override&rdquo; and &ldquo;apply the limit.&rdquo;</p> <p><strong>Optional parameters with backwards-compatible defaults.</strong> <code>override_key=&quot;&quot;</code> and <code>increment_amount=1</code> mean the same script handles simple path limiting, per-project limiting, and element counting. No script duplication.</p> <p><strong>Dynamic configuration.</strong> <code>get_rate_limit_mode()</code> calls into Bender on every request. No cached settings, no restarts. Switch from <code>monitor</code> to <code>on</code> when you&rsquo;re confident.</p> <p><strong>Separate counters via key suffix.</strong> Element counting doesn&rsquo;t interfere with request counting. Same endpoint, independent limits, same Lua script.</p> <p>The whole thing is tested with <code>fakeredis[lua]</code>, which actually executes the Lua script, so the tests are as close to production behavior as you can get without a real Redis.</p>