← Back to Docs
Recipe
Rate Limiting
Protect your endpoints from abuse with token-bucket rate limiting backed by Upstash KV.
Overview
Meridian uses a sliding-window token-bucket algorithm. Each request consumes a token; tokens refill at a configured rate. When the bucket is empty, the API returns 429 Too Many Requests with a Retry-After header.
Configuration
// meridian.config.ts
export default {
rateLimit: {
window: "60 s", // sliding window
max: 100, // requests per window
key: (req) => // rate-limit key
req.headers.get("x-api-key")
?? req.ip,
},
};Response Headers
| Header | Description |
|---|---|
| X-RateLimit-Limit | Maximum requests per window |
| X-RateLimit-Remaining | Tokens remaining |
| Retry-After | Seconds until next token refill |
Per-Route Overrides
Apply stricter limits to sensitive endpoints like auth or webhook handlers by exporting a route-level config.
// app/api/auth/route.ts
export const rateLimit = {
window: "300 s",
max: 5,
};Need custom rate-limit keys or distributed counters? Browse more recipes or check the Upstash KV integration guide.