<div class="post-toc-block float-default with-border"> 
						<div class="post-toc-header">Table of Contents</div>
						<nav id="md-post-toc" class="md-post-toc"></nav>
						</div><p>In this article, We will try to explore <strong>Token Bucket</strong> algorithm and its implementation in NodeJS for <strong><em>API Rate Limiting</em></strong> in very simple terms.</p>
</p>
<h3>What is Token Bucket ?</h3>
<p><strong>Token Bucket</strong> is an algorithm which is used to limit our resources or server usage. It is an algorithm in which we have some finite amount of tokens on our server and whenever a request is made, a token is used for that request full fulfillment. When there are requests more than the number of tokens, then the server denies or awaits all the requests until the tokens are refilled.<br />
The tokens can be refilled in various ways. Two of them are as follows :</p>
<ul>
<li>
<p>whenever a request is fulfilled, the token used by the user is returned back to the server.</p>
</li>
<li>
<p>refilling the tokens after a specific interval of time.</p>
</li>
</ul>
<p><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-1303" src="https://wp.keploy.io/wp-content/uploads/2024/05/fdecfaa9-210f-407a-a35c-63de7fa7.webp" alt="" width="1280" height="720" srcset="https://wp.keploy.io/wp-content/uploads/2024/05/fdecfaa9-210f-407a-a35c-63de7fa7.webp 1280w, https://wp.keploy.io/wp-content/uploads/2024/05/fdecfaa9-210f-407a-a35c-63de7fa7-300x169.webp 300w, https://wp.keploy.io/wp-content/uploads/2024/05/fdecfaa9-210f-407a-a35c-63de7fa7-1024x576.webp 1024w, https://wp.keploy.io/wp-content/uploads/2024/05/fdecfaa9-210f-407a-a35c-63de7fa7-768x432.webp 768w" sizes="auto, (max-width: 1280px) 100vw, 1280px" /></p>
<h3>Implementation of Token Bucket</h3>
<ol>
<li>Setup a new npm project and set the &quot;type&quot;:&quot;module&quot;.</li>
</ol>
<pre><code class="language-bash">
npm init -y</code></pre>
<p><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-1304" src="https://wp.keploy.io/wp-content/uploads/2024/05/dd6aec84-6a75-4ac8-a434-6bd92b96.webp" alt="" width="368" height="117" srcset="https://wp.keploy.io/wp-content/uploads/2024/05/dd6aec84-6a75-4ac8-a434-6bd92b96.webp 368w, https://wp.keploy.io/wp-content/uploads/2024/05/dd6aec84-6a75-4ac8-a434-6bd92b96-300x95.webp 300w" sizes="auto, (max-width: 368px) 100vw, 368px" /></p>
<ol start="2">
<li>Install express.</li>
</ol>
<pre><code class="language-bash">
npm i express</code></pre>
<ol start="3">
<li>Create a new file, name it anything, let&#8217;s say &quot;index.js&quot;. Write a basic express server code in it.</li>
</ol>
<pre><code class="language-javascript">
import express from &#039;express&#039;;
const app = express();

app.get(&#039;/&#039;,(req,res) =&gt; {
res.send(&#039;Hello There !!&#039;);
})

const PORT = process.env.PORT || 8000;
app.listen(PORT,() =&gt; {
console.log(<code>Server is running on PORT : ${PORT}</code>);
})</code></pre>
<p>Now we&#8217;ll be rate limiting the request to &#8216;/&#8217;. We&#8217;ll be programming a middleware to achieve this.</p>
<ol start="4">
<li>Create a new file for the middleware, let&#8217;s say, &quot;rateLimiter.js&quot; and write the syntax of the middleware function and export it.</li>
</ol>
<pre><code class="language-javascript">
export const rateLimiter = (req,res,next) =&gt; {

}</code></pre>
<pre><code class="language-javascript">
const tokens = [&quot;AAAA&quot;,&quot;AAAA&quot;,&quot;AAAA&quot;,&quot;AAAA&quot;,&quot;AAAA&quot;];
var time = new Date().getTime();

export const rateLimiter = (req,res,next) =&gt; {

}</code></pre>
<p>In this code, <strong><em>tokens</em></strong> is the array of the tokens which the user can use to make a request to the server. <strong><em>time</em></strong> is a variable in which we store the current time in milliseconds.</p>
<pre><code class="language-javascript">
const tokens = [&quot;AAAA&quot;,&quot;AAAA&quot;,&quot;AAAA&quot;,&quot;AAAA&quot;,&quot;AAAA&quot;];
var time = new Date().getTime();

export const rateLimiter = (req,res,next) =&gt; {
if(tokens.length){
tokens.pop();
next();
}
else{
res.send(<code>Service not available due to excess requests !! , ${new Date().getTime()-time}</code>);
}
}</code></pre>
<p>We have added simple if else condition in this, if any request comes and if the <strong><em>tokens</em></strong> array has a token, then a token will pop out and the request will be allowed, else the request will be denied.</p>
<p>After the tokens array becomes empty, we need to refill it.</p>
<pre><code class="language-javascript">
const tokens = [&quot;AAAA&quot;,&quot;AAAA&quot;,&quot;AAAA&quot;,&quot;AAAA&quot;,&quot;AAAA&quot;];
var time = new Date().getTime();

export const rateLimiter = (req,res,next) =&gt; {
if(tokens.length){
tokens.pop();
next();
}
else{
if(new Date().getTime()-time &gt;= 20000){
const len = tokens.length;
for(let i=0;i&lt;5-len;i++){ tokens.push(&quot;AAAA&quot;); } time = new Date().getTime(); rateLimiter(res,res,next); } else{ res.send(<code>Service not available due to excess requests !! , ${new Date().getTime()-time}</code>); } } } ``<code> In this code, we changed a little bit of else condition. We are calculating the time difference with &quot;**new Date().getTime()-time**&quot;. If this difference exceeds 20000 milliseconds i.e. 20 sec, the tokens array will be refilled to 5 tokens. 5. But this code has a problem. In this code, whenever the server is started, the time variable gets initialized. Suppose after 20 seconds the first request is made. Then, by this code we will be able to make 10 requests in a span of 20 seconds because after 20 seconds when all the 5 tokens are used, the if condition of the outer else condition will run and it will refill the array with 5 more tokens immediately. But by our code, we only want 5 requests per 20 seconds. 6. With a smaller change in the present code, we can achieve the desired result. </code>``javascript const tokens = [&quot;AAAA&quot;,&quot;AAAA&quot;,&quot;AAAA&quot;,&quot;AAAA&quot;,&quot;AAAA&quot;]; var time = new Date().getTime(); export const rateLimiter = (req,res,next) =&gt; {
if(tokens.length &amp;&amp; new Date().getTime()-time &lt; 20000){ tokens.pop(); next(); } else{ if(new Date().getTime()-time &gt;= 20000){
const len = tokens.length;
for(let i=0;i&lt;5-len;i++){ tokens.push(&quot;AAAA&quot;); } time = new Date().getTime(); rateLimiter(res,res,next); } else{ res.send(<code>Service not available due to excess requests !! , ${new Date().getTime()-time}</code>); } } } ``<code> We changed the outer **if** condition. The conditions are like firstly the server should be having a token and the time should be less than 20 sec, if the time difference is exceeding 20 seconds, the array will be refilled if there are less than 5 tokens in it. 7. Now add the middleware to the route. </code>``javascript import express from &#039;express&#039;; import { rateLimiter } from &#039;./rateLimiter.js&#039;; const app = express(); app.get(&#039;/&#039;, rateLimiter, (req,res) =&gt; {
res.send(&#039;Hello There !!&#039;);
})

const PORT = process.env.PORT || 8000;
app.listen(PORT,() =&gt; {
console.log(<code>Server is running on PORT : ${PORT}</code>);
})</code></pre>
<h3>Congratulations ! You have successfully added Rate Limitation to your server</h3>
<p>The final code looks like this.</p>
<pre><code class="language-javascript">
//&quot;index.js&quot;
import express from &#039;express&#039;;
import { rateLimiter } from &#039;./middleware/rateLimiter.js&#039;;
const app = express();
app.get(&#039;/&#039;, rateLimiter, (req,res) =&gt; {
res.send(&quot;Hello There !!&quot;);
})
const PORT = process.env.PORT || 8000;
app.listen(PORT,() =&gt; {
console.log(<code>Server is running on PORT : ${PORT}</code>);
})</code></pre>
<pre><code class="language-javascript">
// &quot;rateLimiter.js&quot;
const tokens = [&quot;AAAA&quot;,&quot;AAAA&quot;,&quot;AAAA&quot;,&quot;AAAA&quot;,&quot;AAAA&quot;];
var time = new Date().getTime();
export const rateLimiter = (req,res,next) =&gt; {
    if(tokens.length &amp;&amp; new Date().getTime()-time &lt; 20000){
        tokens.pop();
        next();
    }
    else{
        if(new Date().getTime()-time &gt;= 20000){
            const len = tokens.length;
            for(let i=0;i&lt;5-len;i++){
                tokens.push(&quot;AAAA&quot;);
            }
            time = new Date().getTime();
            rateLimiter(res,res,next);
        }
        else{
            res.send(<code>Service not available due to excess requests !! , ${new Date().getTime()-time}</code>);
        }
    }
}</code></pre>
<h2>Conclusion</h2>
<p>Now, I think we have understood how Token Bucket is implemented and will be able to customize the number of requests and tokens in it. If you have any queries, write in the comments and I will try to help you out. </p>
<h2>FAQs:</h2>
<h3>What is the Token Bucket algorithm? The Token Bucket algorithm is used for rate limiting to control the consumption of resources or server usage. It involves maintaining a bucket of tokens, where each token represents permission to perform a specific action or request.</h3>
<h3>How does the Token Bucket algorithm work?</h3>
<p>Requests consume tokens from the bucket. When the bucket is empty, further requests are either denied or queued until tokens are refilled. Tokens can be refilled at a fixed rate or based on certain conditions. </p>
<h3>What is the purpose of rate limiting in APIs?</h3>
<p>Rate limiting helps prevent abuse or overload of APIs by restricting the number of requests a client can make within a specified timeframe. It ensures fair usage of resources and protects the server from being overwhelmed.</p>

         
        
                    

                    
                    <div class="pp-multiple-authors-boxes-wrapper pp-multiple-authors-wrapper pp-multiple-authors-layout-boxed multiple-authors-target-the-content box-post-id-16 box-instance-id-1 ppma_boxes_16"
                    data-post_id="16"
                    data-instance_id="1"
                    data-additional_class="pp-multiple-authors-layout-boxed.multiple-authors-target-the-content"
                    data-original_class="pp-multiple-authors-boxes-wrapper pp-multiple-authors-wrapper box-post-id-16 box-instance-id-1">
                                                                                    <h2 class="widget-title box-header-title">Author</h2>
                                                                            <span class="ppma-layout-prefix"></span>
                        <div class="ppma-author-category-wrap">
                                                                                                <span class="ppma-category-group ppma-category-group-">
                                                                                                                        <ul class="pp-multiple-authors-boxes-ul">
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            <li class="pp-multiple-authors-boxes-li author_index_0 author_sarthak-negi has-avatar">
                                                                                                                                                                                                                                            <div class="pp-author-boxes-avatar">
                                                                                                                                            <img alt='Sarthak Negi' src='https://wp.keploy.io/wp-content/uploads/2025/04/Sarthak-Negi.webp' srcset='https://wp.keploy.io/wp-content/uploads/2025/04/Sarthak-Negi.webp' class='multiple_authors_guest_author_avatar avatar' height='80' width='80'/>                                                                                                                                    </div>
                                                            
                                                            <div class="pp-author-boxes-avatar-details">
                                                                                                                                                                                                <div class="pp-author-boxes-name multiple-authors-name">
                                                                        <a href="https://wp.keploy.io/author/sarthak-negi/" rel="author" title="Sarthak Negi" class="author url fn">Sarthak Negi</a> 
                                                                    </div>
                                                                                                                                                                                                                                                                    <p class="pp-author-boxes-description multiple-authors-description">
                                                                        Sarthak Negi is passionate about open-source software, contributing to various projects and valuing collaboration within the community. He explores new tech advancements and aims to enhance the quality and functionality of his projects.                                                                    </p>
                                                                                                                                <a class="ppma-author-user_url-profile-data ppma-author-field-meta ppma-author-field-type-url" aria-label="Website" href="https://in.linkedin.com/in/sarthak-negi-4923a6259" rel="dofollow" target="_blank"><span class="dashicons dashicons-admin-links"></span> </a>
                                                                                                                                
                                                                                                                            </div>
                                                                                                                                                                                                                                                                                                                                                                                                             </li>
                                                                                                                                                                                                                                    </ul>
                                                                            </span>
                                                                                    </div>
                    <span class="ppma-layout-suffix"></span>
                    </div>
                    
                    
                
                                <style>
                .pp-multiple-authors-boxes-wrapper.box-post-id-16.pp-multiple-authors-layout-boxed.multiple-authors-target-the-content.box-instance-id-1 .pp-author-boxes-avatar img { width: 80px !important; height: 80px !important; } .pp-multiple-authors-boxes-wrapper.box-post-id-16.pp-multiple-authors-layout-boxed.multiple-authors-target-the-content.box-instance-id-1 .pp-author-boxes-avatar img { border-style: none !important; } .pp-multiple-authors-boxes-wrapper.box-post-id-16.pp-multiple-authors-layout-boxed.multiple-authors-target-the-content.box-instance-id-1 .pp-author-boxes-avatar img { border-radius: 50% !important; } .pp-multiple-authors-boxes-wrapper.box-post-id-16.pp-multiple-authors-layout-boxed.multiple-authors-target-the-content.box-instance-id-1 .pp-author-boxes-meta a { background-color: #655997 !important; } .pp-multiple-authors-boxes-wrapper.box-post-id-16.pp-multiple-authors-layout-boxed.multiple-authors-target-the-content.box-instance-id-1 .pp-author-boxes-meta a { color: #ffffff !important; } .pp-multiple-authors-boxes-wrapper.box-post-id-16.pp-multiple-authors-layout-boxed.multiple-authors-target-the-content.box-instance-id-1 .pp-author-boxes-meta a:hover { color: #ffffff !important; } .pp-multiple-authors-boxes-wrapper.box-post-id-16.pp-multiple-authors-layout-boxed.multiple-authors-target-the-content.box-instance-id-1 .ppma-author-user_email-profile-data { background-color: #655997 !important; } .pp-multiple-authors-boxes-wrapper.box-post-id-16.pp-multiple-authors-layout-boxed.multiple-authors-target-the-content.box-instance-id-1 .ppma-author-user_email-profile-data { border-radius: 100% !important; } .pp-multiple-authors-boxes-wrapper.box-post-id-16.pp-multiple-authors-layout-boxed.multiple-authors-target-the-content.box-instance-id-1 .ppma-author-user_email-profile-data { color: #ffffff !important; } .pp-multiple-authors-boxes-wrapper.box-post-id-16.pp-multiple-authors-layout-boxed.multiple-authors-target-the-content.box-instance-id-1 .ppma-author-user_url-profile-data { background-color: #655997 !important; } .pp-multiple-authors-boxes-wrapper.box-post-id-16.pp-multiple-authors-layout-boxed.multiple-authors-target-the-content.box-instance-id-1 .ppma-author-user_url-profile-data { border-radius: 100% !important; } .pp-multiple-authors-boxes-wrapper.box-post-id-16.pp-multiple-authors-layout-boxed.multiple-authors-target-the-content.box-instance-id-1 .ppma-author-user_url-profile-data { color: #ffffff !important; } .pp-multiple-authors-boxes-wrapper.box-post-id-16.pp-multiple-authors-layout-boxed.multiple-authors-target-the-content.box-instance-id-1 .pp-author-boxes-recent-posts-title { border-bottom-style: dotted !important; } .pp-multiple-authors-boxes-wrapper.box-post-id-16.pp-multiple-authors-layout-boxed.multiple-authors-target-the-content.box-instance-id-1 .pp-multiple-authors-boxes-li { border-style: solid !important; } .pp-multiple-authors-boxes-wrapper.box-post-id-16.pp-multiple-authors-layout-boxed.multiple-authors-target-the-content.box-instance-id-1 .pp-multiple-authors-boxes-li { border-width: 1px !important; } .pp-multiple-authors-boxes-wrapper.box-post-id-16.pp-multiple-authors-layout-boxed.multiple-authors-target-the-content.box-instance-id-1 .pp-multiple-authors-boxes-li { border-color: #999 !important; } .pp-multiple-authors-boxes-wrapper.box-post-id-16.pp-multiple-authors-layout-boxed.multiple-authors-target-the-content.box-instance-id-1 .pp-multiple-authors-boxes-li { color: #3c434a !important; }             </style>

Create API Rate Limiting with Token Bucket 🪣

How API Monitoring Works Behind the Scenes?

Why Traditional API Testing Fails? Comparing Shadow, Production, Replay Techniques

My Journey of DevRel Cohort at Keploy

My journey of Automating Test Cases!

Fun Facts About APIs

How To Securing APIs And Protect Sensitive Data ?

Building Keploy.io, an EBPF based open source framework to generate test cases and data stubs from API calls.

Neha Gupta

Cloud technology veteran and probably the youngest (globally) to have completed all 5 AWS certifications (including Solutions architect Professional and Dev­ops engineer professional)

Create Api Rate Limiting With Token Bucket 🪣

More Stories