A practical guide to rate limiting SaaS APIs in 2026, motivated by a real $312 overnight scraping incident. Covers the three core algorithms (fixed window, sliding window, token bucket), where to apply limits (edge, application, worker), and a layered defense stack using Cloudflare, Upstash Ratelimit, and provider budget alerts. Addresses the AI scraper wave with a breakdown of known AI user agents, what robots.txt does and doesn't protect against, and when bot detection tools like Vercel BotID are needed. Includes code examples, proper 429 response formatting, observability tips, and hard-won lessons from real production mistakes.
Table of contents
What Rate Limiting Actually Buys YouThe Four Things People Confuse With Rate LimitingThe Three Algorithms Worth KnowingWhere Do You Limit? At The Edge Or In The AppMy Default Setup In 2026The AI Scraper ProblemLayered Defense In PracticeWhat To Return When You RejectObservability For Rate LimitsWhat I Got WrongThe Real LessonSort: