What is rate limiting in APIs and when do you return 429?

Rate limiting caps how many requests a client (by IP, API key, or user id) can make in a time window. It protects your origin from overload, reduces scraping impact, and gives abuse a throttle. A common response is 429 Too Many Requests, sometimes with Retry-After. Implementations range from in-memory counters per instance (simple, imperfect under scale) to Redis with sliding windows, to edge rules on API gateways. Limits are a product and contract decision, not a magic default.

HTTP/1.1 429 Too Many Requests
Retry-After: 60
# or custom headers: X-RateLimit-Remaining, etc.

Start simple: try this concept in a tiny project before moving to advanced tools.