API Rate Limiter
Run ID: 69cb2dd061b1021a29a869f22026-03-31Development
PantheraHive BOS
BOS Dashboard

API Rate Limiter: Architecture Plan & Learning Pathway

This document outlines a comprehensive architecture plan for an API Rate Limiter, followed by a structured learning pathway for understanding and implementing such a system. This deliverable is designed to provide both a detailed technical blueprint and a strategic educational roadmap.

Part 1: API Rate Limiter Architecture Plan

1. Introduction and Purpose

An API Rate Limiter is a critical component in modern distributed systems, designed to control the rate at which consumers can access an API. Its primary purposes include:

2. Key Requirements

2.1. Functional Requirements:

2.2. Non-Functional Requirements:

3. High-Level Architecture

The API Rate Limiter will typically sit in the request path, intercepting incoming API requests before they reach the backend services.

text • 1,133 chars
+-------------------+     +-----------------------------------+     +-------------------------+
|     API Client    | --> |           API Gateway             | --> |    Backend Services     |
| (Web/Mobile/CLI)  |     | (e.g., Nginx, Envoy, AWS API GW)  |     | (Microservices, DBs, etc.)|
+-------------------+     +-----------------+-----------------+     +-------------------------+
                                    |
                                    |  (Request Metadata: IP, User ID, API Key, Path, Method)
                                    V
                          +-------------------------+
                          |   Rate Limiter Service  |
                          |   (Decision Logic)      |
                          +-----------+-------------+
                                      |
                                      |  (Update/Check Counters)
                                      V
                          +-------------------------+
                          |   Distributed Cache/DB  |
                          |   (e.g., Redis Cluster) |
                          +-------------------------+
Sandboxed live preview

Key Components:

  1. API Gateway/Proxy: Intercepts all incoming requests, extracts relevant metadata (IP, user ID, API key, endpoint), and forwards them to the Rate Limiter Service.
  2. Rate Limiter Service: Contains the core logic for applying rate limiting algorithms, querying/updating counters, and making decisions (allow/deny). This service can be integrated directly into the API Gateway or run as a separate microservice.
  3. Distributed Data Store: Stores rate limit counters and configuration. It must be highly performant and consistent across distributed instances of the Rate Limiter Service.

4. Detailed Design Components

4.1. Placement Strategy:

  • API Gateway Level (Recommended for most cases):

* Pros: Centralized control, early rejection of requests, protects all downstream services.

* Cons: Gateway becomes a critical bottleneck if not scaled properly.

* Examples: Nginx with ngx_http_limit_req_module, Envoy Proxy with Global Rate Limit service, AWS API Gateway Throttling.

  • Service Mesh Level:

* Pros: Fine-grained control per service, transparent to application code.

* Cons: Adds complexity to the service mesh configuration.

* Examples: Istio with Envoy-based rate limiting.

  • Application Level:

* Pros: Most granular control, custom logic.

* Cons: Duplication of logic across services, requires application code changes, harder to manage globally.

4.2. Rate Limiting Algorithms (Selection based on requirements):

  • Fixed Window Counter:

* Concept: Divides time into fixed-size windows (e.g., 1 minute). Counts requests within each window.

* Pros: Simple to implement, low memory usage.

* Cons: "Burstiness" at window edges (e.g., 60 requests at 0:59 and 60 requests at 1:01, totaling 120 in a short span).

* Use Case: Basic, less critical rate limits.

  • Sliding Window Log:

* Concept: Stores timestamps of all requests. When a new request arrives, remove timestamps older than the window, then count remaining.

* Pros: Highly accurate, smooth rate limiting.

* Cons: High memory usage (stores every timestamp), computationally expensive for large windows/high rates.

* Use Case: Strict, accurate rate limits where memory is not a major concern.

  • Sliding Window Counter (Recommended for distributed systems):

* Concept: Uses two fixed windows: current and previous. Counts requests in the current window and a weighted average of the previous window.

* Pros: Balances accuracy and efficiency, mitigates edge effects of Fixed Window, suitable for distributed counters.

* Cons: Slightly more complex than Fixed Window, not perfectly accurate.

* Implementation: Store counts for current and previous windows in Redis.

  • Token Bucket:

* Concept: A "bucket" holds tokens that are added at a fixed rate. Each request consumes one token. If the bucket is empty, the request is denied. Max tokens in bucket define burst capacity.

* Pros: Allows for bursts, smooths traffic, simple to understand.

* Cons: Requires state management (tokens in bucket), difficult to perfectly synchronize in a distributed environment without a central store.

* Use Case: Ideal for scenarios needing burst tolerance.

  • Leaky Bucket:

* Concept: Requests are added to a queue (the bucket). Requests "leak" out of the bucket at a constant rate. If the bucket is full, new requests are dropped.

* Pros: Smooths out bursts into a steady stream.

* Cons: Introduces latency due to queuing, queue size limited, complex to manage in a distributed setup.

* Use Case: When downstream services cannot handle bursts and need a very steady input rate.

Recommendation: Start with Sliding Window Counter for its balance of accuracy, efficiency, and suitability for distributed environments. Consider Token Bucket if burst handling is a primary requirement and a central store (like Redis) can manage token counts.

4.3. Data Storage for Counters and Configuration:

  • Redis (Recommended):

* Pros: In-memory key-value store, extremely fast read/write operations, supports atomic increments, TTL (Time-To-Live) for keys, Lua scripting for complex atomic operations. Redis Cluster provides high availability and scalability.

* Cons: Data is primarily in-memory, requiring persistence configuration (RDB/AOF) for durability.

* Implementation: Use Redis hashes or sorted sets to store counters for different keys (e.g., rate_limit:{user_id}:{endpoint}:{window_size}).

  • Cassandra/DynamoDB:

* Pros: Highly scalable, distributed, fault-tolerant, good for high write throughput.

* Cons: Higher latency than Redis for individual operations, eventual consistency might be a concern for strict rate limiting.

* Use Case: For very large-scale, less strict, long-term quota management rather than per-second rate limiting.

  • In-Memory (for single node or simple cases):

* Pros: Fastest, simplest.

* Cons: Not suitable for distributed systems, no persistence, limited scalability.

4.4. Configuration Management:

  • Centralized Configuration Service: Use a service like Consul, etcd, or Kubernetes ConfigMaps to store rate limit rules.
  • Dynamic Updates: The Rate Limiter Service should subscribe to configuration changes and update rules without downtime.
  • Rule Structure: Define rules using a structured format (YAML/JSON) specifying:

* id: Unique rule identifier

* match_criteria: (e.g., ip, user_id, api_key, path_prefix, method)

* limit: Number of requests

* window: Time duration (e.g., 1m, 1h, 1d)

* algorithm: (e.g., sliding_window_counter, token_bucket)

* response_code: (e.g., 429)

* headers_on_exceed: (e.g., X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset)

4.5. Concurrency and Synchronization:

  • Atomic Operations: Leverage atomic operations provided by the data store (e.g., INCRBY in Redis) to ensure counter consistency in a concurrent environment.
  • Distributed Locks: For more complex scenarios or algorithms, distributed locks (e.g., Redlock in Redis) might be considered, though they add complexity and can impact performance.
  • Lua Scripting in Redis: For multi-command atomic operations (e.g., checking and incrementing a counter, then setting an expiry), Lua scripts can execute atomically on the Redis server, avoiding race conditions.

4.6. Monitoring and Alerting:

  • Metrics: Collect and expose metrics such as:

* Total requests processed

* Requests allowed/denied

* Latency of rate limit decisions

* Error rates

* Resource utilization (CPU, memory) of the Rate Limiter Service

  • Logging: Detailed logs for requests, decisions (allow/deny), and configuration changes.
  • Alerting: Set up alerts for:

* High rate of denied requests for a specific user/IP.

* High latency in rate limiting decisions.

* Failure of the Rate Limiter Service or its data store.

  • Tools: Prometheus for metrics collection, Grafana for visualization, ELK stack (Elasticsearch, Logstash, Kibana) for logging, PagerDuty/Opsgenie for alerts.

4.7. Error Handling and Fallbacks:

  • Data Store Unavailability: If the distributed data store (e.g., Redis) is unavailable:

* Fail-open (Permissive): Allow all requests to pass through (risk of abuse, but avoids blocking legitimate traffic).

* Fail-closed (Restrictive): Deny all requests (ensures protection, but causes service disruption).

* Graceful Degradation: Implement a local, in-memory fallback rate limiter with coarse-grained limits.

  • Rate Limiter Service Failure: The API Gateway should be configured to bypass the Rate Limiter Service if it's unhealthy, potentially falling back to a default, less strict rate limit at the gateway level.

4.8. Scalability and High Availability:

  • Rate Limiter Service: Deploy as multiple instances behind a load balancer. Stateless or near-stateless design (relying on the distributed data store) simplifies scaling.
  • Distributed Data Store: Use a highly available and scalable solution like Redis Cluster, which shards data across multiple nodes and provides replication for fault tolerance.
  • API Gateway: Use a scalable and highly available gateway solution (e.g., Nginx in a cluster, Envoy, cloud-managed API gateways).

5. API Design (for clients exceeding limits)

When a client exceeds their rate limit, the API Gateway/Rate Limiter should return an HTTP 429 Too Many Requests status code. It should also include informative headers:

  • X-RateLimit-Limit: The maximum number of requests allowed in the current window.
  • X-RateLimit-Remaining: The number of requests remaining in the current window.
  • X-RateLimit-Reset: The UTC epoch seconds when the current rate limit window resets.

6. Deployment Considerations

  • Containerization: Package the Rate Limiter Service in Docker containers.
  • Orchestration: Deploy using Kubernetes for automated scaling, healing, and management.
  • Infrastructure as Code: Define infrastructure (Redis Cluster, Kubernetes deployments, configurations) using tools like Terraform or CloudFormation.
  • Canary Deployments: For updates to the Rate Limiter Service or its configuration, use canary deployments to gradually roll out changes and monitor for issues.

7. Future Enhancements

  • Behavioral Rate Limiting: Dynamic adjustment of limits based on user behavior patterns.
  • Machine Learning Integration: Use ML to detect and mitigate sophisticated attack patterns.
  • Geographic Rate Limiting: Apply different limits based on the origin country/region of the request.
  • Integration with Billing Systems: Automatically adjust limits based on customer subscription tiers or usage.
  • Advanced Quota Management: Support for complex quota rules across multiple APIs and timeframes.

Part 2: Learning Pathway for API Rate Limiter Design & Implementation

This study plan is designed for engineers looking to gain a deep understanding of API Rate Limiters, from theoretical concepts to practical implementation.

Overall Goal:

By the end of this plan, you will be able to design, implement, and operate a robust, scalable, and highly available API Rate Limiter for distributed

gemini Output

This document provides a comprehensive, detailed, and professional output for implementing an API Rate Limiter. It includes production-ready code, thorough explanations, and actionable guidance for integration into a distributed system environment.

API Rate Limiter: Production-Ready Implementation

1. Introduction: The Necessity of API Rate Limiting

API rate limiting is a critical component for building robust, scalable, and secure web services. It controls the number of requests a client can make to an API within a defined time window. Without effective rate limiting, APIs are vulnerable to various issues:

  • Abuse and Misuse: Malicious actors can overwhelm the API with requests, leading to Denial of Service (DoS) attacks.
  • Resource Exhaustion: High request volumes can deplete server resources (CPU, memory, database connections), impacting legitimate users.
  • Cost Overruns: For cloud-based services, increased resource usage directly translates to higher operational costs.
  • Fair Usage: Ensures that no single client monopolizes API resources, promoting fair access for all users.
  • Operational Stability: Prevents cascading failures by protecting backend services from sudden spikes in traffic.

This deliverable focuses on a robust, distributed API rate limiting solution using Python and Redis, leveraging the Sliding Window Log algorithm for accuracy and fairness.

2. Algorithm Choice: Sliding Window Log with Redis Sorted Sets

Several algorithms exist for rate limiting (Fixed Window, Leaky Bucket, Token Bucket, Sliding Window Counter, Sliding Window Log). For a production-grade, distributed system, the Sliding Window Log algorithm offers an excellent balance of accuracy, fairness, and performance, especially when backed by a persistent, high-performance data store like Redis.

2.1 Why Sliding Window Log?

  • Accuracy: Unlike the Fixed Window algorithm, which can allow double the limit at window boundaries, the Sliding Window Log precisely tracks each request's timestamp.
  • Fairness: It prevents bursts of requests at the start of a new window, distributing requests more evenly over time.
  • Simplicity (relative to its power): While conceptually tracking every request, Redis Sorted Sets make its implementation surprisingly straightforward and efficient.

2.2 Why Redis Sorted Sets?

Redis Sorted Sets (ZSET) are ideal for implementing the Sliding Window Log:

  • Timestamp Storage: Each request's timestamp can be stored as a member's score, with a unique identifier (e.g., UUID or request ID) as the member.
  • Efficient Range Deletion: ZREMRANGEBYSCORE allows for quick removal of all timestamps older than the current window.
  • Efficient Counting: ZCARD provides the count of remaining requests within the window.
  • Atomicity: Redis operations are atomic, ensuring thread-safe and consistent updates in a concurrent environment.
  • Distribution: Redis is an in-memory data structure store that can be accessed by multiple application instances, making it perfect for distributed rate limiting.
  • Expiration: Keys can be set to expire, preventing an unbounded growth of data for inactive rate limit keys.

3. Core Components and Design Principles

The solution will consist of:

  1. RedisRateLimiter Class: Encapsulates the core rate limiting logic, interacting with Redis.
  2. Web Framework Decorator: A higher-order function (decorator) to easily apply rate limits to API endpoints (demonstrated with Flask).
  3. HTTP Headers: Proper X-RateLimit-* headers to communicate rate limit status to clients.

Design Principles:

  • Modularity: Separate the rate limiting logic from the application logic.
  • Configurability: Allow easy configuration of limits, periods, and Redis connection details.
  • Extensibility: Design for easy adaptation to different keying strategies (IP, User ID, API Key, Endpoint).
  • Clear Feedback: Provide clear HTTP responses (429 Too Many Requests) and informational headers.
  • Concurrency Safe: Leverage Redis's atomic operations for thread-safe handling.

4. Code Implementation (Python with redis-py)

This implementation provides a RedisRateLimiter class and a Flask decorator for easy integration.

4.1 Prerequisites

Before running the code, ensure you have redis-py installed and a Redis server running:


pip install redis flask

4.2 rate_limiter.py


import time
import uuid
import functools
from typing import Optional, Tuple, Callable, Any
import redis
from flask import request, jsonify, make_response

class RedisRateLimiter:
    """
    A distributed API Rate Limiter implementation using Redis Sorted Sets (ZSET)
    to implement the Sliding Window Log algorithm.

    Each request's timestamp is added to a sorted set for a specific key (e.g., user ID, IP address).
    When checking a limit, all timestamps older than the window are removed, and the remaining
    count is checked against the limit.
    """

    def __init__(self, redis_client: redis.Redis, default_limit: int, default_period: int):
        """
        Initializes the RedisRateLimiter.

        Args:
            redis_client: An initialized Redis client instance.
            default_limit: The default maximum number of requests allowed within the period.
            default_period: The default time window in seconds for the rate limit.
        """
        self.redis_client = redis_client
        self.default_limit = default_limit
        self.default_period = default_period
        # A small buffer for key expiration to ensure cleanup, slightly larger than period
        self._key_expiration_buffer = 10 

    def _get_current_timestamp(self) -> float:
        """Returns the current timestamp in seconds (float for millisecond precision)."""
        return time.time()

    def allow_request(self, key: str, limit: Optional[int] = None, period: Optional[int] = None) -> Tuple[bool, int, int]:
        """
        Checks if a request is allowed for a given key based on the rate limit.

        Args:
            key: The unique identifier for the rate limit (e.g., "ip:192.168.1.1", "user:123").
            limit: The maximum number of requests allowed. Defaults to self.default_limit.
            period: The time window in seconds. Defaults to self.default_period.

        Returns:
            A tuple: (allowed: bool, remaining_requests: int, reset_time_seconds: int).
            - allowed: True if the request is within the limit, False otherwise.
            - remaining_requests: How many requests are left in the current window.
                                  Will be 0 if not allowed.
            - reset_time_seconds: The time in seconds until the current window resets
                                  (i.e., when the oldest request in the window expires).
        """
        current_limit = limit if limit is not None else self.default_limit
        current_period = period if period is not None else self.default_period

        now = self._get_current_timestamp()
        
        # Use a unique member ID for the ZSET to allow multiple requests at the exact same timestamp
        # This is crucial for ZADD to work correctly if timestamps are identical.
        member_id = f"{now}-{uuid.uuid4()}" 

        # Pipeline multiple Redis commands for atomicity and efficiency
        with self.redis_client.pipeline() as pipe:
            # 1. Remove all requests older than the current window
            # ZREMRANGEBYSCORE key min_score max_score
            # min_score is 'now - current_period', max_score is 'now' (or earlier, not including now)
            pipe.zremrangebyscore(key, 0, now - current_period)

            # 2. Add the current request's timestamp to the sorted set
            # ZADD key score member
            pipe.zadd(key, {member_id: now})

            # 3. Get the current count of requests in the window
            # ZCARD key
            pipe.zcard(key)

            # 4. Set an expiration on the key. This prevents keys from accumulating indefinitely
            # for inactive rate limiters. The expiration should be slightly longer than the period
            # to allow for cleanup of old entries before the key itself is removed.
            pipe.expire(key, current_period + self._key_expiration_buffer)

            # Execute all commands in the pipeline
            _, _, count, _ = pipe.execute()

        allowed = count <= current_limit
        remaining = max(0, current_limit - count)

        # Calculate reset time: find the timestamp of the oldest request in the window.
        # If the window is full, the reset time is when the oldest request expires.
        # If the window is not full, reset time is 0 (or period) as new requests can be added.
        reset_time = 0
        if count >= current_limit:
            # Get the score (timestamp) of the oldest element in the sorted set
            # ZRANGE key start stop WITHSCORES (start=0, stop=0 gets the first element)
            oldest_request = self.redis_client.zrange(key, 0, 0, withscores=True)
            if oldest_request:
                # oldest_request is a list of tuples: [(member_id, score)]
                oldest_timestamp = oldest_request[0][1]
                reset_time = int(oldest_timestamp + current_period - now)
                reset_time = max(0, reset_time) # Ensure it's not negative

        return allowed, remaining, reset_time

def rate_limit(limiter: RedisRateLimiter, limit: Optional[int] = None, period: Optional[int] = None, key_prefix: str = "rate_limit") -> Callable:
    """
    A decorator for Flask (or similar web frameworks) to apply rate limiting to routes.

    Args:
        limiter: An instance of RedisRateLimiter.
        limit: The maximum number of requests allowed. Defaults to the limiter's default_limit.
        period: The time window in seconds. Defaults to the limiter's default_period.
        key_prefix: A prefix for the Redis key to make it more descriptive.
    """
    def decorator(f: Callable) -> Callable:
        @functools.wraps(f)
        def wrapper(*args: Any, **kwargs: Any) -> Any:
            # Determine the rate limiting key.
            # This example uses the client's IP address and the endpoint path.
            # You might want to use a user ID from a JWT, an API key, etc.
            client_ip = request.remote_addr or "unknown_ip"
            endpoint_path = request.path
            
            # Construct a unique key for this rate limit
            rate_limit_key = f"{key_prefix}:{client_ip}:{endpoint_path}"

            allowed,
gemini Output

API Rate Limiter: Comprehensive Documentation and Recommendations

This document provides a detailed overview of API Rate Limiting, its importance, common implementation strategies, and best practices. This deliverable is designed to equip you with the knowledge necessary to effectively implement and manage rate limiting for your APIs, ensuring stability, security, and a positive user experience.

1. Introduction to API Rate Limiting

An API Rate Limiter is a mechanism that controls the number of requests a client can make to an API within a defined timeframe. Its primary purpose is to prevent abuse, ensure fair usage, protect backend resources, and maintain the overall stability and performance of the API service.

Key Objectives:

  • Prevent Abuse: Mitigate denial-of-service (DoS) attacks, brute-force attempts, and excessive scraping.
  • Ensure Fair Usage: Distribute API capacity equitably among all consumers, preventing a single client from monopolizing resources.
  • Protect Infrastructure: Safeguard backend servers, databases, and other services from being overloaded by a surge of requests.
  • Cost Management: For services with usage-based billing, rate limiting can help control operational costs by preventing runaway consumption.
  • Maintain QoS: Ensure a consistent quality of service for legitimate users by preventing slowdowns caused by excessive traffic.

2. Why API Rate Limiting is Crucial

Implementing a robust API rate limiting strategy is not just a best practice; it's a fundamental requirement for modern API platforms.

  • System Stability and Reliability: Prevents your API and underlying infrastructure from being overwhelmed, leading to outages or degraded performance.
  • Security Posture Enhancement: Acts as a frontline defense against various malicious activities, including credential stuffing, DDoS, and data exfiltration attempts.
  • Resource Optimization: Ensures that critical resources (CPU, memory, network bandwidth, database connections) are available for legitimate and high-priority requests.
  • Fair Access and User Experience: Guarantees that all users receive a reasonable share of API access, preventing a few heavy users from degrading the experience for others.
  • Monetization and Tiered Services: Enables the creation of different service tiers (e.g., free, premium, enterprise) with varying rate limits, aligning usage with business models.

3. Common Rate Limiting Algorithms

Several algorithms are used to implement rate limiting, each with its own characteristics regarding accuracy, resource usage, and how it handles bursts.

  • 3.1. Fixed Window Counter:

* Mechanism: Divides time into fixed-size windows (e.g., 1 minute). Each request increments a counter for the current window. If the counter exceeds the limit within the window, subsequent requests are blocked until the next window starts.

* Pros: Simple to implement, low resource overhead.

* Cons: Can allow a "burst" of requests at the window boundaries (e.g., 60 requests at the very end of one window and 60 requests at the very beginning of the next, totaling 120 in a short span).

* Use Case: Basic rate limiting where strict burst control isn't paramount.

  • 3.2. Sliding Log:

* Mechanism: Stores a timestamp for every request made by a client. When a new request arrives, it counts how many timestamps fall within the defined time window (e.g., the last 60 seconds). If the count exceeds the limit, the request is denied. Old timestamps are purged.

* Pros: Highly accurate, perfectly smooth rate limiting, no boundary issues.

* Cons: High memory usage (stores every timestamp), computationally expensive for a large number of requests.

* Use Case: Scenarios requiring very precise rate limiting, often for critical or high-value APIs.

  • 3.3. Sliding Window Counter:

* Mechanism: A hybrid approach. It uses fixed windows but smooths out the burstiness. It calculates the weighted average of the current window's count and the previous window's count to estimate the request rate.

* Pros: Better at handling bursts than Fixed Window, less resource-intensive than Sliding Log.

* Cons: Still an approximation; not as precise as Sliding Log.

* Use Case: A good balance between accuracy and resource efficiency for most general-purpose APIs.

  • 3.4. Token Bucket:

* Mechanism: Imagine a bucket with a fixed capacity for "tokens." Tokens are added to the bucket at a constant rate. Each request consumes one token. If the bucket is empty, the request is denied or queued.

* Pros: Excellent for controlling average rate while allowing for bursts up to the bucket capacity. Efficient and widely used.

* Cons: Requires careful tuning of bucket size and refill rate.

* Use Case: Ideal for scenarios where you want to allow occasional bursts of traffic without exceeding an average rate.

  • 3.5. Leaky Bucket:

* Mechanism: Similar to Token Bucket but in reverse. Requests are added to a "bucket" (a queue) and processed at a constant rate, like water leaking out of a bucket. If the bucket overflows (queue is full), new requests are dropped.

* Pros: Smooths out bursty traffic into a steady stream, preventing backend systems from being overwhelmed.

* Cons: Can introduce latency due to queuing.

* Use Case: Protecting backend services from being flooded, ensuring a consistent processing rate.

4. Key Considerations for Implementation

Successfully implementing API rate limiting requires careful planning and strategic decisions.

  • 4.1. Granularity of Limiting:

* By User/API Key: Limits requests per authenticated user or API key. Most common and effective.

* By IP Address: Limits requests per source IP. Useful for unauthenticated endpoints but can be problematic with shared IPs (NAT, proxies).

* By Endpoint: Different limits for different API endpoints (e.g., /login vs. /data).

* By Resource: Limits access to specific resources or data objects.

* Combined Approaches: Often, a combination (e.g., IP-based for unauthenticated, user-based for authenticated) provides the best coverage.

  • 4.2. Response to Exceeded Limits:

* HTTP Status Code: Return HTTP 429 Too Many Requests. This is the standard.

* Retry-After Header: Include a Retry-After header indicating when the client can safely retry the request (e.g., Retry-After: 60).

* Custom Error Message: Provide a clear, human-readable error message explaining the limit and how to resolve it (e.g., "You have exceeded your rate limit. Please wait 60 seconds before trying again.").

* Logging and Alerting: Log all rate-limited requests and set up alerts for unusual patterns or high volumes of 429 responses.

  • 4.3. Distributed Systems:

* In a microservices or load-balanced environment, rate limiting must be coordinated across all instances.

* Centralized Store: Use a shared, high-performance data store (e.g., Redis) to store and update rate limit counters.

* Consistent Hashing: Ensure requests from the same client are routed to the same rate limiter instance (if not using a centralized store) or use distributed locking mechanisms.

  • 4.4. Edge Cases and Overrides:

* Internal Services: Allow internal services or trusted partners to bypass or have higher limits.

* Admin/Monitoring Tools: Ensure monitoring and administrative tools are not rate-limited themselves.

* Burst Tolerance: Design limits to allow for reasonable bursts of activity without immediate blocking.

  • 4.5. Client Communication:

* Clearly document rate limits in your API documentation.

* Inform clients about 429 responses and the Retry-After header.

* Provide guidance on implementing exponential backoff and jitter for retries.

5. Best Practices and Recommendations

To ensure an effective and maintainable API rate limiting system:

  • Start with Reasonable Defaults: Don't set limits too aggressively initially. Monitor usage and adjust as needed.
  • Educate Your Users: Clearly document your rate limits and how clients should handle 429 responses. Provide examples of exponential backoff.
  • Implement Client-Side Backoff: Encourage clients to implement exponential backoff with jitter to prevent thundering herd problems when limits are hit.
  • Monitor and Alert: Track rate limit hits, identify problematic clients, and detect potential attacks. Set up alerts for unusual patterns.
  • Layer Your Defenses: Rate limiting is one layer of defense. Combine it with authentication, authorization, input validation, and WAFs for comprehensive security.
  • Consider a Gateway/Proxy: Implement rate limiting at the API Gateway level (e.g., NGINX, Kong, AWS API Gateway, Azure API Management) for centralized management and offloading from backend services.
  • Use a Dedicated Service (if applicable): For very high-scale or complex requirements, consider specialized rate limiting services or libraries that handle distributed counters and advanced algorithms efficiently.
  • Test Thoroughly: Simulate various load scenarios, including legitimate heavy usage and malicious attacks, to validate your rate limiting configuration.
  • Provide Clear Error Messages: When a client hits a rate limit, the error message should be informative and actionable, including the Retry-After header.

6. Actionable Recommendations for Your API

Based on this comprehensive review, we recommend the following actionable steps for implementing or enhancing API rate limiting:

  1. Define Rate Limit Policies:

* Identify Key Endpoints: Determine which API endpoints are most critical or resource-intensive and require specific rate limits (e.g., /auth, /search, /upload).

* Establish Granularity: Decide whether to limit by user, API key, IP, or a combination. For authenticated endpoints, user/API key-based limiting is highly recommended.

* Set Initial Limits: Define specific limits (e.g., 100 requests per minute per user, 5 requests per minute for login attempts per IP). Document these clearly.

  1. Choose Appropriate Algorithms:

* For general-purpose APIs requiring a balance of accuracy and efficiency, Sliding Window Counter or Token Bucket are excellent choices.

* For critical authentication endpoints, consider Token Bucket for its ability to smooth bursts while maintaining an average rate, or Fixed Window for simplicity combined with IP-based limits for unauthenticated attempts.

  1. Select Implementation Strategy:

* API Gateway Integration: Leverage your existing API Gateway (if any) to implement rate limiting as a first line of defense. This offloads the concern from your backend services.

* Centralized Data Store (e.g., Redis): For distributed environments, utilize a fast, centralized key-value store like Redis to maintain rate limit counters across all service instances.

* Language-Specific Libraries: If gateway-level limiting isn't feasible or sufficient, integrate robust, well-tested rate limiting libraries within your backend services.

  1. Standardize Error Handling:

* Ensure all rate-limited responses consistently return HTTP 429 Too Many Requests.

* Always include the Retry-After HTTP header with the number of seconds until the client can retry.

* Provide a concise, helpful error message in the response body.

  1. Enhance Monitoring and Alerting:

* Instrument your rate limiter to log every 429 response, including client ID/IP, endpoint, and timestamp.

* Create dashboards to visualize rate limit hits over time, identifying patterns and potential abuse.

* Set up alerts for high volumes of 429 responses for specific clients or endpoints, indicating potential attacks or misbehaving clients.

  1. Update API Documentation:

* Add a dedicated section to your API documentation detailing your rate limiting policies, the 429 response, and the Retry-After header.

* Provide code examples for implementing exponential backoff with jitter on the client side.

  1. Conduct Load Testing:

* Perform comprehensive load testing to validate that your chosen rate limiting strategy effectively protects your backend systems without unduly penalizing legitimate users. Test scenarios hitting limits and recovering.

By systematically addressing these recommendations, you will establish a robust and effective API rate limiting system that protects your services, ensures fair usage, and enhances the overall reliability and security of your API platform.

api_rate_limiter.txt
Download source file
Copy all content
Full output as text
Download ZIP
IDE-ready project ZIP
Copy share link
Permanent URL for this run
Get Embed Code
Embed this result on any website
Print / Save PDF
Use browser print dialog
\n\n\n"); var hasSrcMain=Object.keys(extracted).some(function(k){return k.indexOf("src/main")>=0;}); if(!hasSrcMain) zip.file(folder+"src/main."+ext,"import React from 'react'\nimport ReactDOM from 'react-dom/client'\nimport App from './App'\nimport './index.css'\n\nReactDOM.createRoot(document.getElementById('root')!).render(\n \n \n \n)\n"); var hasSrcApp=Object.keys(extracted).some(function(k){return k==="src/App."+ext||k==="App."+ext;}); if(!hasSrcApp) zip.file(folder+"src/App."+ext,"import React from 'react'\nimport './App.css'\n\nfunction App(){\n return(\n
\n
\n

"+slugTitle(pn)+"

\n

Built with PantheraHive BOS

\n
\n
\n )\n}\nexport default App\n"); zip.file(folder+"src/index.css","*{margin:0;padding:0;box-sizing:border-box}\nbody{font-family:system-ui,-apple-system,sans-serif;background:#f0f2f5;color:#1a1a2e}\n.app{min-height:100vh;display:flex;flex-direction:column}\n.app-header{flex:1;display:flex;flex-direction:column;align-items:center;justify-content:center;gap:12px;padding:40px}\nh1{font-size:2.5rem;font-weight:700}\n"); zip.file(folder+"src/App.css",""); zip.file(folder+"src/components/.gitkeep",""); zip.file(folder+"src/pages/.gitkeep",""); zip.file(folder+"src/hooks/.gitkeep",""); Object.keys(extracted).forEach(function(p){ var fp=p.startsWith("src/")?p:"src/"+p; zip.file(folder+fp,extracted[p]); }); zip.file(folder+"README.md","# "+slugTitle(pn)+"\n\nGenerated by PantheraHive BOS.\n\n## Setup\n\`\`\`bash\nnpm install\nnpm run dev\n\`\`\`\n\n## Build\n\`\`\`bash\nnpm run build\n\`\`\`\n\n## Open in IDE\nOpen the project folder in VS Code or WebStorm.\n"); zip.file(folder+".gitignore","node_modules/\ndist/\n.env\n.DS_Store\n*.local\n"); } /* --- Vue (Vite + Composition API + TypeScript) --- */ function buildVue(zip,folder,app,code,panelTxt){ var pn=pkgName(app); var C=cc(pn); var extracted=extractCode(panelTxt); zip.file(folder+"package.json",'{\n "name": "'+pn+'",\n "version": "0.0.0",\n "type": "module",\n "scripts": {\n "dev": "vite",\n "build": "vue-tsc -b && vite build",\n "preview": "vite preview"\n },\n "dependencies": {\n "vue": "^3.5.13",\n "vue-router": "^4.4.5",\n "pinia": "^2.3.0",\n "axios": "^1.7.9"\n },\n "devDependencies": {\n "@vitejs/plugin-vue": "^5.2.1",\n "typescript": "~5.7.3",\n "vite": "^6.0.5",\n "vue-tsc": "^2.2.0"\n }\n}\n'); zip.file(folder+"vite.config.ts","import { defineConfig } from 'vite'\nimport vue from '@vitejs/plugin-vue'\nimport { resolve } from 'path'\n\nexport default defineConfig({\n plugins: [vue()],\n resolve: { alias: { '@': resolve(__dirname,'src') } }\n})\n"); zip.file(folder+"tsconfig.json",'{"files":[],"references":[{"path":"./tsconfig.app.json"},{"path":"./tsconfig.node.json"}]}\n'); zip.file(folder+"tsconfig.app.json",'{\n "compilerOptions":{\n "target":"ES2020","useDefineForClassFields":true,"module":"ESNext","lib":["ES2020","DOM","DOM.Iterable"],\n "skipLibCheck":true,"moduleResolution":"bundler","allowImportingTsExtensions":true,\n "isolatedModules":true,"moduleDetection":"force","noEmit":true,"jsxImportSource":"vue",\n "strict":true,"paths":{"@/*":["./src/*"]}\n },\n "include":["src/**/*.ts","src/**/*.d.ts","src/**/*.tsx","src/**/*.vue"]\n}\n'); zip.file(folder+"env.d.ts","/// \n"); zip.file(folder+"index.html","\n\n\n \n \n "+slugTitle(pn)+"\n\n\n
\n \n\n\n"); var hasMain=Object.keys(extracted).some(function(k){return k==="src/main.ts"||k==="main.ts";}); if(!hasMain) zip.file(folder+"src/main.ts","import { createApp } from 'vue'\nimport { createPinia } from 'pinia'\nimport App from './App.vue'\nimport './assets/main.css'\n\nconst app = createApp(App)\napp.use(createPinia())\napp.mount('#app')\n"); var hasApp=Object.keys(extracted).some(function(k){return k.indexOf("App.vue")>=0;}); if(!hasApp) zip.file(folder+"src/App.vue","\n\n\n\n\n"); zip.file(folder+"src/assets/main.css","*{margin:0;padding:0;box-sizing:border-box}body{font-family:system-ui,sans-serif;background:#fff;color:#213547}\n"); zip.file(folder+"src/components/.gitkeep",""); zip.file(folder+"src/views/.gitkeep",""); zip.file(folder+"src/stores/.gitkeep",""); Object.keys(extracted).forEach(function(p){ var fp=p.startsWith("src/")?p:"src/"+p; zip.file(folder+fp,extracted[p]); }); zip.file(folder+"README.md","# "+slugTitle(pn)+"\n\nGenerated by PantheraHive BOS.\n\n## Setup\n\`\`\`bash\nnpm install\nnpm run dev\n\`\`\`\n\n## Build\n\`\`\`bash\nnpm run build\n\`\`\`\n\nOpen in VS Code or WebStorm.\n"); zip.file(folder+".gitignore","node_modules/\ndist/\n.env\n.DS_Store\n*.local\n"); } /* --- Angular (v19 standalone) --- */ function buildAngular(zip,folder,app,code,panelTxt){ var pn=pkgName(app); var C=cc(pn); var sel=pn.replace(/_/g,"-"); var extracted=extractCode(panelTxt); zip.file(folder+"package.json",'{\n "name": "'+pn+'",\n "version": "0.0.0",\n "scripts": {\n "ng": "ng",\n "start": "ng serve",\n "build": "ng build",\n "test": "ng test"\n },\n "dependencies": {\n "@angular/animations": "^19.0.0",\n "@angular/common": "^19.0.0",\n "@angular/compiler": "^19.0.0",\n "@angular/core": "^19.0.0",\n "@angular/forms": "^19.0.0",\n "@angular/platform-browser": "^19.0.0",\n "@angular/platform-browser-dynamic": "^19.0.0",\n "@angular/router": "^19.0.0",\n "rxjs": "~7.8.0",\n "tslib": "^2.3.0",\n "zone.js": "~0.15.0"\n },\n "devDependencies": {\n "@angular-devkit/build-angular": "^19.0.0",\n "@angular/cli": "^19.0.0",\n "@angular/compiler-cli": "^19.0.0",\n "typescript": "~5.6.0"\n }\n}\n'); zip.file(folder+"angular.json",'{\n "$schema": "./node_modules/@angular/cli/lib/config/schema.json",\n "version": 1,\n "newProjectRoot": "projects",\n "projects": {\n "'+pn+'": {\n "projectType": "application",\n "root": "",\n "sourceRoot": "src",\n "prefix": "app",\n "architect": {\n "build": {\n "builder": "@angular-devkit/build-angular:application",\n "options": {\n "outputPath": "dist/'+pn+'",\n "index": "src/index.html",\n "browser": "src/main.ts",\n "tsConfig": "tsconfig.app.json",\n "styles": ["src/styles.css"],\n "scripts": []\n }\n },\n "serve": {"builder":"@angular-devkit/build-angular:dev-server","configurations":{"production":{"buildTarget":"'+pn+':build:production"},"development":{"buildTarget":"'+pn+':build:development"}},"defaultConfiguration":"development"}\n }\n }\n }\n}\n'); zip.file(folder+"tsconfig.json",'{\n "compileOnSave": false,\n "compilerOptions": {"baseUrl":"./","outDir":"./dist/out-tsc","forceConsistentCasingInFileNames":true,"strict":true,"noImplicitOverride":true,"noPropertyAccessFromIndexSignature":true,"noImplicitReturns":true,"noFallthroughCasesInSwitch":true,"paths":{"@/*":["src/*"]},"skipLibCheck":true,"esModuleInterop":true,"sourceMap":true,"declaration":false,"experimentalDecorators":true,"moduleResolution":"bundler","importHelpers":true,"target":"ES2022","module":"ES2022","useDefineForClassFields":false,"lib":["ES2022","dom"]},\n "references":[{"path":"./tsconfig.app.json"}]\n}\n'); zip.file(folder+"tsconfig.app.json",'{\n "extends":"./tsconfig.json",\n "compilerOptions":{"outDir":"./dist/out-tsc","types":[]},\n "files":["src/main.ts"],\n "include":["src/**/*.d.ts"]\n}\n'); zip.file(folder+"src/index.html","\n\n\n \n "+slugTitle(pn)+"\n \n \n \n\n\n \n\n\n"); zip.file(folder+"src/main.ts","import { bootstrapApplication } from '@angular/platform-browser';\nimport { appConfig } from './app/app.config';\nimport { AppComponent } from './app/app.component';\n\nbootstrapApplication(AppComponent, appConfig)\n .catch(err => console.error(err));\n"); zip.file(folder+"src/styles.css","* { margin: 0; padding: 0; box-sizing: border-box; }\nbody { font-family: system-ui, -apple-system, sans-serif; background: #f9fafb; color: #111827; }\n"); var hasComp=Object.keys(extracted).some(function(k){return k.indexOf("app.component")>=0;}); if(!hasComp){ zip.file(folder+"src/app/app.component.ts","import { Component } from '@angular/core';\nimport { RouterOutlet } from '@angular/router';\n\n@Component({\n selector: 'app-root',\n standalone: true,\n imports: [RouterOutlet],\n templateUrl: './app.component.html',\n styleUrl: './app.component.css'\n})\nexport class AppComponent {\n title = '"+pn+"';\n}\n"); zip.file(folder+"src/app/app.component.html","
\n
\n

"+slugTitle(pn)+"

\n

Built with PantheraHive BOS

\n
\n \n
\n"); zip.file(folder+"src/app/app.component.css",".app-header{display:flex;flex-direction:column;align-items:center;justify-content:center;min-height:60vh;gap:16px}h1{font-size:2.5rem;font-weight:700;color:#6366f1}\n"); } zip.file(folder+"src/app/app.config.ts","import { ApplicationConfig, provideZoneChangeDetection } from '@angular/core';\nimport { provideRouter } from '@angular/router';\nimport { routes } from './app.routes';\n\nexport const appConfig: ApplicationConfig = {\n providers: [\n provideZoneChangeDetection({ eventCoalescing: true }),\n provideRouter(routes)\n ]\n};\n"); zip.file(folder+"src/app/app.routes.ts","import { Routes } from '@angular/router';\n\nexport const routes: Routes = [];\n"); Object.keys(extracted).forEach(function(p){ var fp=p.startsWith("src/")?p:"src/"+p; zip.file(folder+fp,extracted[p]); }); zip.file(folder+"README.md","# "+slugTitle(pn)+"\n\nGenerated by PantheraHive BOS.\n\n## Setup\n\`\`\`bash\nnpm install\nng serve\n# or: npm start\n\`\`\`\n\n## Build\n\`\`\`bash\nng build\n\`\`\`\n\nOpen in VS Code with Angular Language Service extension.\n"); zip.file(folder+".gitignore","node_modules/\ndist/\n.env\n.DS_Store\n*.local\n.angular/\n"); } /* --- Python --- */ function buildPython(zip,folder,app,code){ var title=slugTitle(app); var pn=pkgName(app); var src=code.replace(/^\`\`\`[\w]*\n?/m,"").replace(/\n?\`\`\`$/m,"").trim(); var reqMap={"numpy":"numpy","pandas":"pandas","sklearn":"scikit-learn","tensorflow":"tensorflow","torch":"torch","flask":"flask","fastapi":"fastapi","uvicorn":"uvicorn","requests":"requests","sqlalchemy":"sqlalchemy","pydantic":"pydantic","dotenv":"python-dotenv","PIL":"Pillow","cv2":"opencv-python","matplotlib":"matplotlib","seaborn":"seaborn","scipy":"scipy"}; var reqs=[]; Object.keys(reqMap).forEach(function(k){if(src.indexOf("import "+k)>=0||src.indexOf("from "+k)>=0)reqs.push(reqMap[k]);}); var reqsTxt=reqs.length?reqs.join("\n"):"# add dependencies here\n"; zip.file(folder+"main.py",src||"# "+title+"\n# Generated by PantheraHive BOS\n\nprint(title+\" loaded\")\n"); zip.file(folder+"requirements.txt",reqsTxt); zip.file(folder+".env.example","# Environment variables\n"); zip.file(folder+"README.md","# "+title+"\n\nGenerated by PantheraHive BOS.\n\n## Setup\n\`\`\`bash\npython3 -m venv .venv\nsource .venv/bin/activate\npip install -r requirements.txt\n\`\`\`\n\n## Run\n\`\`\`bash\npython main.py\n\`\`\`\n"); zip.file(folder+".gitignore",".venv/\n__pycache__/\n*.pyc\n.env\n.DS_Store\n"); } /* --- Node.js --- */ function buildNode(zip,folder,app,code){ var title=slugTitle(app); var pn=pkgName(app); var src=code.replace(/^\`\`\`[\w]*\n?/m,"").replace(/\n?\`\`\`$/m,"").trim(); var depMap={"mongoose":"^8.0.0","dotenv":"^16.4.5","axios":"^1.7.9","cors":"^2.8.5","bcryptjs":"^2.4.3","jsonwebtoken":"^9.0.2","socket.io":"^4.7.4","uuid":"^9.0.1","zod":"^3.22.4","express":"^4.18.2"}; var deps={}; Object.keys(depMap).forEach(function(k){if(src.indexOf(k)>=0)deps[k]=depMap[k];}); if(!deps["express"])deps["express"]="^4.18.2"; var pkgJson=JSON.stringify({"name":pn,"version":"1.0.0","main":"src/index.js","scripts":{"start":"node src/index.js","dev":"nodemon src/index.js"},"dependencies":deps,"devDependencies":{"nodemon":"^3.0.3"}},null,2)+"\n"; zip.file(folder+"package.json",pkgJson); var fallback="const express=require(\"express\");\nconst app=express();\napp.use(express.json());\n\napp.get(\"/\",(req,res)=>{\n res.json({message:\""+title+" API\"});\n});\n\nconst PORT=process.env.PORT||3000;\napp.listen(PORT,()=>console.log(\"Server on port \"+PORT));\n"; zip.file(folder+"src/index.js",src||fallback); zip.file(folder+".env.example","PORT=3000\n"); zip.file(folder+".gitignore","node_modules/\n.env\n.DS_Store\n"); zip.file(folder+"README.md","# "+title+"\n\nGenerated by PantheraHive BOS.\n\n## Setup\n\`\`\`bash\nnpm install\n\`\`\`\n\n## Run\n\`\`\`bash\nnpm run dev\n\`\`\`\n"); } /* --- Vanilla HTML --- */ function buildVanillaHtml(zip,folder,app,code){ var title=slugTitle(app); var isFullDoc=code.trim().toLowerCase().indexOf("=0||code.trim().toLowerCase().indexOf("=0; var indexHtml=isFullDoc?code:"\n\n\n\n\n"+title+"\n\n\n\n"+code+"\n\n\n\n"; zip.file(folder+"index.html",indexHtml); zip.file(folder+"style.css","/* "+title+" — styles */\n*{margin:0;padding:0;box-sizing:border-box}\nbody{font-family:system-ui,-apple-system,sans-serif;background:#fff;color:#1a1a2e}\n"); zip.file(folder+"script.js","/* "+title+" — scripts */\n"); zip.file(folder+"assets/.gitkeep",""); zip.file(folder+"README.md","# "+title+"\n\nGenerated by PantheraHive BOS.\n\n## Open\nDouble-click \`index.html\` in your browser.\n\nOr serve locally:\n\`\`\`bash\nnpx serve .\n# or\npython3 -m http.server 3000\n\`\`\`\n"); zip.file(folder+".gitignore",".DS_Store\nnode_modules/\n.env\n"); } /* ===== MAIN ===== */ var sc=document.createElement("script"); sc.src="https://cdnjs.cloudflare.com/ajax/libs/jszip/3.10.1/jszip.min.js"; sc.onerror=function(){ if(lbl)lbl.textContent="Download ZIP"; alert("JSZip load failed — check connection."); }; sc.onload=function(){ var zip=new JSZip(); var base=(_phFname||"output").replace(/\.[^.]+$/,""); var app=base.toLowerCase().replace(/[^a-z0-9]+/g,"_").replace(/^_+|_+$/g,"")||"my_app"; var folder=app+"/"; var vc=document.getElementById("panel-content"); var panelTxt=vc?(vc.innerText||vc.textContent||""):""; var lang=detectLang(_phCode,panelTxt); if(_phIsHtml){ buildVanillaHtml(zip,folder,app,_phCode); } else if(lang==="flutter"){ buildFlutter(zip,folder,app,_phCode,panelTxt); } else if(lang==="react-native"){ buildReactNative(zip,folder,app,_phCode,panelTxt); } else if(lang==="swift"){ buildSwift(zip,folder,app,_phCode,panelTxt); } else if(lang==="kotlin"){ buildKotlin(zip,folder,app,_phCode,panelTxt); } else if(lang==="react"){ buildReact(zip,folder,app,_phCode,panelTxt); } else if(lang==="vue"){ buildVue(zip,folder,app,_phCode,panelTxt); } else if(lang==="angular"){ buildAngular(zip,folder,app,_phCode,panelTxt); } else if(lang==="python"){ buildPython(zip,folder,app,_phCode); } else if(lang==="node"){ buildNode(zip,folder,app,_phCode); } else { /* Document/content workflow */ var title=app.replace(/_/g," "); var md=_phAll||_phCode||panelTxt||"No content"; zip.file(folder+app+".md",md); var h=""+title+""; h+="

"+title+"

"; var hc=md.replace(/&/g,"&").replace(//g,">"); hc=hc.replace(/^### (.+)$/gm,"

$1

"); hc=hc.replace(/^## (.+)$/gm,"

$1

"); hc=hc.replace(/^# (.+)$/gm,"

$1

"); hc=hc.replace(/\*\*(.+?)\*\*/g,"$1"); hc=hc.replace(/\n{2,}/g,"

"); h+="

"+hc+"

Generated by PantheraHive BOS
"; zip.file(folder+app+".html",h); zip.file(folder+"README.md","# "+title+"\n\nGenerated by PantheraHive BOS.\n\nFiles:\n- "+app+".md (Markdown)\n- "+app+".html (styled HTML)\n"); } zip.generateAsync({type:"blob"}).then(function(blob){ var a=document.createElement("a"); a.href=URL.createObjectURL(blob); a.download=app+".zip"; a.click(); URL.revokeObjectURL(a.href); if(lbl)lbl.textContent="Download ZIP"; }); }; document.head.appendChild(sc); } function phShare(){navigator.clipboard.writeText(window.location.href).then(function(){var el=document.getElementById("ph-share-lbl");if(el){el.textContent="Link copied!";setTimeout(function(){el.textContent="Copy share link";},2500);}});}function phEmbed(){var runId=window.location.pathname.split("/").pop().replace(".html","");var embedUrl="https://pantherahive.com/embed/"+runId;var code='';navigator.clipboard.writeText(code).then(function(){var el=document.getElementById("ph-embed-lbl");if(el){el.textContent="Embed code copied!";setTimeout(function(){el.textContent="Get Embed Code";},2500);}});}

Created with Panthera Hive

← BOS DashboardMy Library