Token Bucket Implementation

Architectural Foundations and State Management

The token bucket algorithm regulates API throughput by maintaining a virtual container with a fixed capacity (C) and a continuous refill rate (R). On each request, the system calculates elapsed time since the last operation, credits tokens proportionally, and attempts to deduct the required amount. If tokens >= cost, the request proceeds; otherwise, it is rejected with a 429 Too Many Requests. Establishing baseline architectural context requires understanding how these mathematical primitives map to runtime memory and concurrency models, as detailed in Core Rate Limiting Algorithms & Theory.

Production implementations must resolve three engineering constraints: deterministic refill calculations, bounded memory allocation, and thread-safe consumption under high concurrency.

Local vs Distributed State Models

Local state models store bucket metadata in process heap memory (e.g., ConcurrentHashMap in Java or Map in Node.js). This yields sub-microsecond lookup latency but introduces state fragmentation across horizontally scaled nodes. Cross-node synchronization requires either sticky load balancing (anti-pattern for modern cloud-native routing) or distributed state migration.

Distributed models externalize bucket state to a centralized datastore like Redis or DynamoDB. This guarantees consistent enforcement across all ingress points but introduces network latency and serialization overhead. Failover handling must be explicitly architected:

  • Fail-Open: Allow requests through during datastore outages (prioritizes availability, risks burst overload).
  • Fail-Closed: Reject requests during outages (prioritizes protection, degrades UX).
  • Graceful Degradation: Switch to local in-memory buckets with reduced capacity until primary state recovers.

Lock-Free Token Deduction Patterns

Mutex-based locking introduces contention bottlenecks under sustained load. Lock-free patterns utilize atomic operations and Compare-And-Swap (CAS) loops to guarantee safe state transitions without thread blocking.

// Production-ready lock-free local token bucket (Node.js worker context)
class AtomicTokenBucket {
 private capacity: number;
 private refillRate: number; // tokens per millisecond
 private state: { tokens: number; lastRefill: number };

 constructor(capacity: number, refillRatePerSec: number) {
 this.capacity = capacity;
 this.refillRate = refillRatePerSec / 1000;
 this.state = { tokens: capacity, lastRefill: Date.now() };
 }

 tryConsume(cost: number = 1): { allowed: boolean; remaining: number; retryAfterMs?: number } {
 const now = Date.now();
 const elapsed = now - this.state.lastRefill;
 
 // Calculate new token balance atomically
 let currentTokens = this.state.tokens + (elapsed * this.refillRate);
 currentTokens = Math.min(currentTokens, this.capacity);
 
 if (currentTokens >= cost) {
 this.state.tokens = currentTokens - cost;
 this.state.lastRefill = now;
 return { allowed: true, remaining: this.state.tokens };
 }

 // Calculate wait time for sufficient tokens
 const needed = cost - currentTokens;
 const retryAfterMs = Math.ceil(needed / this.refillRate);
 return { allowed: false, remaining: currentTokens, retryAfterMs };
 }
}

In multi-process environments, CAS operations or std::atomic primitives prevent race conditions during simultaneous refill calculations and deductions. The algorithm guarantees monotonic state progression without explicit lock acquisition.

Framework-Specific Middleware Configuration

Server-side middleware must intercept the request lifecycle before business logic execution, validate token availability, inject standard rate-limit headers, and short-circuit rejected requests. The implementation strategy varies by runtime, but all require strict pipeline ordering to prevent bypass vulnerabilities.

Node.js and Express Interceptor Setup

Express middleware executes sequentially. Rate limiting must be registered before authentication and routing layers to prevent unnecessary credential validation on throttled requests.

import { Request, Response, NextFunction } from 'express';
import { Redis } from 'ioredis';

const redis = new Redis(process.env.REDIS_URL);

export const tokenBucketMiddleware = async (req: Request, res: Response, next: NextFunction) => {
 const clientId = req.headers['x-api-key'] as string || req.ip;
 const key = `tb:${clientId}`;
 
 try {
 // Execute atomic Lua script (see Redis section below)
 const result = await redis.eval(`
 local key = KEYS[1]
 local capacity = tonumber(ARGV[1])
 local rate = tonumber(ARGV[2])
 local now = tonumber(ARGV[3])
 local requested = tonumber(ARGV[4])
 
 local bucket = redis.call('HMGET', key, 'tokens', 'last_refill')
 local tokens = tonumber(bucket[1]) or capacity
 local last_refill = tonumber(bucket[2]) or now
 
 local elapsed = math.max(0, now - last_refill)
 tokens = math.min(capacity, tokens + (elapsed * rate))
 
 if tokens >= requested then
 tokens = tokens - requested
 redis.call('HMSET', key, 'tokens', tokens, 'last_refill', now)
 redis.call('EXPIRE', key, 3600)
 return {1, math.floor(tokens), 0}
 else
 redis.call('HMSET', key, 'tokens', tokens, 'last_refill', now)
 redis.call('EXPIRE', key, 3600)
 local wait = math.ceil((requested - tokens) / rate)
 return {0, math.floor(tokens), wait}
 end
 `, 1, key, '100', '2', Date.now(), '1');

 const [allowed, remaining, retryAfter] = result as [number, number, number];

 res.set({
 'X-RateLimit-Limit': '100',
 'X-RateLimit-Remaining': String(remaining),
 'X-RateLimit-Reset': String(Math.ceil(Date.now() / 1000) + retryAfter)
 });

 if (!allowed) {
 res.set('Retry-After', String(retryAfter));
 return res.status(429).json({ error: 'Rate limit exceeded', retryAfterMs: retryAfter });
 }
 
 next();
 } catch (err) {
 // Fail-open strategy for resilience
 console.error('Rate limiter failure:', err);
 next();
 }
};

Spring Boot HandlerInterceptor Integration

Spring Boot’s HandlerInterceptor provides pre-handle execution hooks. Binding the interceptor to the security context ensures accurate tenant isolation.

@Component
public class TokenBucketInterceptor implements HandlerInterceptor {
 private final RedisTemplate<String, String> redisTemplate;
 private final DefaultRedisScript<List<Long>> rateLimitScript;

 @Override
 public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) {
 String clientId = SecurityContextHolder.getContext().getAuthentication().getName();
 String key = "tb:" + clientId;
 
 // Execute pre-compiled Lua script for single-round-trip execution
 List<Long> result = redisTemplate.execute(rateLimitScript, 
 Collections.singletonList(key), "100", "2", String.valueOf(System.currentTimeMillis()), "1");
 
 boolean allowed = result.get(0) == 1L;
 long remaining = result.get(1);
 long retryAfter = result.get(2);
 
 response.setHeader("X-RateLimit-Limit", "100");
 response.setHeader("X-RateLimit-Remaining", String.valueOf(remaining));
 response.setHeader("X-RateLimit-Reset", String.valueOf(System.currentTimeMillis() / 1000 + retryAfter));
 
 if (!allowed) {
 response.setHeader("Retry-After", String.valueOf(retryAfter));
 response.setStatus(429);
 return false; // Short-circuit
 }
 return true;
 }
}

Register via WebMvcConfigurer to apply globally or restrict to specific @RequestMapping paths.

Client-Side Request Interceptors

Frontend and service-to-service clients should implement proactive backoff to reduce server load during throttling events.

import axios, { AxiosInstance } from 'axios';

export const createRateLimitedClient = (baseURL: string): AxiosInstance => {
 const client = axios.create({ baseURL });
 
 client.interceptors.response.use(
 (res) => res,
 async (error) => {
 const originalRequest = error.config;
 if (error.response?.status === 429 && !originalRequest._retry) {
 originalRequest._retry = true;
 const retryAfter = parseInt(error.response.headers['retry-after'] || '1000', 10);
 await new Promise(resolve => setTimeout(resolve, retryAfter));
 return client(originalRequest);
 }
 return Promise.reject(error);
 }
 );
 return client;
};

Synchronize local token caches with X-RateLimit-Remaining headers to preemptively queue requests, reducing unnecessary network round-trips.

Redis-Based Distributed Tracking Workflows

High-throughput distributed environments require Redis for centralized state management. The implementation must guarantee atomicity, minimize network hops, and handle cluster topology gracefully.

Atomic Lua Execution and TTL Management

Redis executes Lua scripts atomically within a single shard. The script must calculate elapsed time, apply refill logic, enforce capacity bounds, and perform deduction in one execution cycle.

Optimized Lua Script:

local key = KEYS[1]
local capacity = tonumber(ARGV[1])
local rate = tonumber(ARGV[2])
local now = tonumber(ARGV[3])
local cost = tonumber(ARGV[4])

local bucket = redis.call('HMGET', key, 'tokens', 'last_refill')
local tokens = tonumber(bucket[1]) or capacity
local last_refill = tonumber(bucket[2]) or now

local elapsed = math.max(0, now - last_refill)
tokens = math.min(capacity, tokens + (elapsed * rate))

if tokens >= cost then
 tokens = tokens - cost
 redis.call('HMSET', key, 'tokens', tokens, 'last_refill', now)
 redis.call('EXPIRE', key, 3600)
 return {1, math.floor(tokens), 0}
else
 redis.call('HMSET', key, 'tokens', tokens, 'last_refill', now)
 redis.call('EXPIRE', key, 3600)
 local wait = math.ceil((cost - tokens) / rate)
 return {0, math.floor(tokens), wait}
end

Hash Tag Routing: Use {tenant_id} syntax in keys (e.g., rate:{user_123}:bucket) to ensure all related keys hash to the same cluster slot, preventing CROSSSLOT errors during multi-key operations. TTL Management: Set expiration on first creation and refresh on every access. Implement lazy eviction via Redis maxmemory-policy allkeys-lru to prevent memory exhaustion from dormant client buckets.

Redis Cluster Synchronization and Partition Handling

Redis Cluster partitions data across master nodes using consistent hashing. Cross-node consistency is guaranteed per shard, but global ordering is not. For rate limiting, per-client consistency is sufficient.

Fallback Degradation Modes:

  • Implement a circuit breaker around Redis calls. If MOVED/ASK redirections exceed thresholds, fallback to local in-memory buckets with a 50% reduced capacity.
  • Route read-heavy telemetry to replicas, but direct all write operations (token deduction) to primaries to prevent split-brain state corruption.

Observability and Distributed Tracing

Instrument the middleware layer to export metrics compatible with Prometheus and OpenTelemetry.

# Prometheus Metric Definitions
rate_limit_requests_total{status="allowed|rejected", client_id="..."}
rate_limit_tokens_remaining{client_id="..."}
rate_limit_evaluation_latency_seconds{quantile="0.99"}

Inject OpenTelemetry spans at the middleware entry point. Track db.operation as EVAL and attach db.statement metadata for debugging script performance. Configure alert thresholds on rate_limit_rejected_total spikes and P99 evaluation latency > 15ms to detect Redis saturation or network degradation.

Algorithm Selection and Performance Benchmarking

Token bucket behavior must be evaluated against alternative throttling models under sustained load. While Fixed Window vs Sliding Window architectures excel at strict quota enforcement, they suffer from boundary edge-case bursts. The token bucket provides superior burst tolerance and smoother traffic absorption, making it ideal for API gateways and public-facing endpoints.

Output Smoothing vs Input Smoothing Dynamics

Token buckets perform input smoothing: they allow requests to queue conceptually as tokens, permitting controlled bursts up to C before enforcing the steady-state rate R. This contrasts with strict output pacing, where Leaky Bucket Mechanics enforce a constant drain rate regardless of input velocity. Use token buckets for client-facing APIs requiring burst tolerance (e.g., mobile sync, UI refreshes). Reserve leaky buckets for backend service-to-service communication or egress gateways where predictable, flatline throughput is mandatory to prevent downstream queue saturation.

Production Decision Matrix

Select the algorithm based on traffic volatility, state overhead, and compliance constraints. Consult How to Choose Between Token Bucket and Leaky Bucket for hybrid deployment patterns.

Constraint Token Bucket Leaky Bucket Fixed Window
Burst Handling Excellent (up to capacity) None (strict pacing) Poor (boundary spikes)
Memory Overhead Low (2 values per key) Low (queue pointer) Low (counter + timestamp)
Implementation Complexity Medium (time math) Medium (queue management) Low (simple counter)
Best Use Case Public APIs, client sync Backend pipelines, DB protection Billing quotas, strict SLAs

Benchmarking and Latency Tuning

Throughput metrics and resource overhead scale non-linearly with concurrent connections. Analyze Token Bucket vs Fixed Window Performance under burst spikes and steady-state traffic to finalize infrastructure sizing.

P99 Latency Optimization Strategies:

  • Pre-compile Lua scripts using SCRIPT LOAD and EVALSHA to eliminate parsing overhead.
  • Pipeline Redis commands where multiple buckets are checked per request.
  • Monitor CPU utilization on Redis nodes; token bucket math is lightweight, but high EVAL volume can saturate single-threaded event loops. Scale horizontally via Redis Cluster or migrate to a multi-threaded in-memory store (e.g., KeyDB) if P99 exceeds 20ms.

Deployment Checklist and Migration Pathways

Rolling out rate limiting middleware requires zero-downtime procedures and continuous telemetry validation.

  1. Shadow Testing Configuration: Deploy middleware in LOG_ONLY mode. Capture rejection decisions without enforcing 429 responses. Compare shadow metrics against baseline traffic to calibrate capacity and refill_rate.
  2. Phased Rollout & A/B Testing: Enable enforcement for 5% of traffic using feature flags or load balancer routing rules. Gradually increase to 25%, 50%, and 100% while monitoring error budgets and downstream service health.
  3. Legacy System Migration: Implement dual-write patterns during transition. Route legacy clients through a compatibility layer that translates fixed-window quotas into token bucket parameters, ensuring backward compatibility without state corruption.
  4. Rollback Triggers: Define automated rollback conditions: rejection rate > 15% of total traffic, P99 latency > 50ms, or downstream service error rate increase > 5%.
  5. Dynamic Capacity Adjustment: Integrate telemetry with autoscaling policies. If sustained traffic approaches 80% of bucket capacity, trigger horizontal pod autoscaling or dynamically increase refill_rate via configuration management (e.g., Consul, etcd) without service restart.