In today's API-driven applications, security, scalability, and stability are key. One way Laravel helps developers achieve this is through API rate limiting. Whether you're building an internal API or a public-facing one, rate limiting protects your backend from abuse and overload.

🔍 What is API Rate Limiting?

Rate limiting is a technique used to control how many requests a user (or client) can make to your API in a given period.

For example:

"You can only send 60 requests per minute."

Laravel uses a powerful middleware system to enforce these limits.

🛡️ Why Should You Use Rate Limiting?

Rate limiting is crucial for:

• 🔐 Preventing brute force login attacks

• 🛑 Stopping spamming bots or scrapers

• ⚖️ Ensuring fair use among all users

• 🔄 Avoiding server overload or denial-of-service (DoS)

• 💰 Tiered API limits for free vs premium users

🛠️ How Laravel Handles Rate Limiting

Laravel includes ThrottleRequests middleware out of the box.

🧩 1. Route::middleware('throttle:60,1')->group(...)

✅ Best For:

• Simple, quick rate limiting

• When all routes in a group share the same limit

• Great for small to medium-sized APIs with no user-based customization.

  Route::middleware('throttle:60,1')->group(function () {
      Route::get('/posts', [PostController::class, 'index']);
      Route::post('/comments', [CommentController::class, 'store']);
  });

  💡 Use case:

  You want to limit all visitors to 60 requests per minute to avoid abuse.

🧩 2. Route::middleware('throttle:10,1') on single routes

✅ Best For:

• Sensitive endpoints (login, registration)

• Limiting abuse only on specific actions

  Route::post('/login', [AuthController::class, 'login'])
      ->middleware('throttle:5,1');

  💡 Use case:

  Allow only 5 login attempts per minute per user/IP. (Limit login attempts to prevent brute-force).

  ---

🧩 3. Custom RateLimiter::for() in RouteServiceProvider

✅ Best For:

• Dynamic logic based on user role, API key, IP, or even route

• Centralized, scalable configuration

• Required if you want different limits for different users or plans.

📘 Example 1: Role-based limits (premium vs free users)

// RouteServiceProvider.php
RateLimiter::for('user-api', function (Request $request) {
    return $request->user()?->is_premium
        ? Limit::perMinute(100)->by($request->user()->id)
        : Limit::perMinute(20)->by($request->user()->id);
});

Then in api.php:

Route::middleware('throttle:user-api')->get('/dashboard', [DashboardController::class, 'index']);

💡 Use case:

Premium users get higher rate limits than free users.

📘 Example 2: API key-based throttling

RateLimiter::for('api-key', function (Request $request) {
    $apiKey = $request->header('X-API-KEY');
    return Limit::perHour(1000)->by($apiKey);
});

In routes:

Route::middleware('throttle:api-key')->get('/v1/public-data', [ApiController::class, 'index']);

💡 Use case:

Public API where users authenticate using API keys — enforce hourly limits per API key.

🧠 Best Practices for Rate Limiting

• ⚠️ Return proper 429 Too Many Requests responses.

• 🔁 Use Retry-After header to tell clients when they can retry.

• 🔐 Apply stricter limits to login, registration, and sensitive endpoints.

• 📊 Use monitoring tools like Telescope or Laravel Debugbar for insight.

✨ Conclusion

Rate limiting is a simple yet powerful way to secure your Laravel APIs and maintain server performance. With Laravel's built-in support, implementing smart limits is just a few lines of code away.