Rate limiting protects your API from abuse. Common algorithms:
Token Bucket: Bucket fills at constant rate. Each request takes a token. Allows bursts up to bucket size.
Leaky Bucket: Requests enter bucket, processed at fixed rate. Smooths traffic but adds latency.
Fixed Window: Count requests per time window. Simple but allows x burst at window boundaries.
Sliding Window: Weighted average of current and previous windows. Smooths the boundary issue.
For distributed systems, use Redis with atomic operations. Key design: rate limit by user ID, API key, or IP depending on your threat model.