RateShield
v1.0 -- production ready

Rate limitingthat doesn't break.

Redis-backed request control, API key management, live observability, and production-grade enforcement through one clean service.

SCROLL
FIXED WINDOW.SLIDING WINDOW.TOKEN BUCKET.REDIS-BACKED.EDGE-READY.OPEN SOURCE.~5MS MEDIAN.GLOBALLY CONSISTENT.FIXED WINDOW.SLIDING WINDOW.TOKEN BUCKET.REDIS-BACKED.EDGE-READY.OPEN SOURCE.~5MS MEDIAN.GLOBALLY CONSISTENT.FIXED WINDOW.SLIDING WINDOW.TOKEN BUCKET.REDIS-BACKED.EDGE-READY.OPEN SOURCE.~5MS MEDIAN.GLOBALLY CONSISTENT.FIXED WINDOW.SLIDING WINDOW.TOKEN BUCKET.REDIS-BACKED.EDGE-READY.OPEN SOURCE.~5MS MEDIAN.GLOBALLY CONSISTENT.
WHY RATESHIELD
~5ms
MEDIAN LATENCY
OPEN SOURCE
MIT LICENSED
12k+
CHECKS / SEC / NODE
3
ALGORITHMS
WHY RATESHIELD

Built like infrastructure.
Designed like a tool.

Three algorithms, one API

Fixed window, sliding window, and token bucket. Pick per route.

Distributed by default

Backed by Redis. No race conditions. Globally consistent counters.

Live observability

Every check is logged. Every block is visible. No black boxes.

enforce.sh
# Create a rate-limit rule
curl -X POST https://ratesheild.onrender.com/check \
  -H "X-API-Key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "key": "user:123",
    "algo": "sliding",
    "window": 60,
    "limit": 100
  }'

# Response
# 200 OK   → request allowed
# 429      → rate limit exceeded
WHY NOT DIY

Why not just use Redis INCR?

You could. Here's what you'd also have to build and maintain.

Race conditions

Redis INCR + EXPIRE is two commands. Between them, keys leak. RateShield uses Lua scripts for atomic check-and-increment.

Sliding window is hard

You need sorted sets, ZREMRANGEBYSCORE, ZCARD, and cleanup logic — all atomically. One missed edge case and your limits drift.

Token bucket is harder

Hash maps, fractional refill math, last-refill timestamps. Get the math wrong and you either throttle users or let traffic through.

Multi-tenant from scratch

Per-user isolation, API key management, revocation, audit logs, dashboard. That's weeks of work before you write your first rate limit.

Stop guessing.Start measuring.

Free for the first 100k requests/month. No card required.

Get your API key