Token Bucket Algorithm: Understanding Rate Limiting with Tokens

发布时间：2026-03-29 17:44:23

24 阅读

0 评论

The token bucket algorithm is one of the most widely used rate limiting techniques in computer networks and API management. Despite its name, the "tokens" here are not authentication tokens but rather abstract units representing the right to perform an action, like processing a request.

How the Token Bucket Works

Imagine a bucket that holds tokens. The bucket has a maximum capacity (burst size). Tokens are added to the bucket at a fixed rate (refill rate). Each request consumes one token from the bucket. If the bucket is empty, the request is either rejected or queued until a token becomes available.

For example, a bucket with capacity 10 and refill rate of 5 tokens/second allows bursts of up to 10 requests, with a sustained rate of 5 requests per second.

Key Parameters

Bucket Capacity (Burst Size): Maximum number of tokens that can accumulate. Determines the maximum burst of requests allowed.
Refill Rate: Rate at which new tokens are added. Determines the sustained request rate.
Token Cost: Number of tokens consumed per request (can vary by operation complexity).

Implementations

NGINX Rate Limiting

NGINX uses the leaky bucket variant for rate limiting. The limit_req_zone directive defines the rate, and limit_req applies it to locations.

Redis-Based Implementation

Redis is ideal for distributed token bucket implementations using atomic operations. The INCR and EXPIRE commands, combined with Lua scripts, provide thread-safe token management across multiple server instances.

API Gateway Implementation

Services like Kong, AWS API Gateway, and Cloudflare implement token bucket rate limiting at the edge, providing global rate limiting without per-service implementation.

Token Bucket vs. Leaky Bucket vs. Sliding Window

While the token bucket allows bursting (up to bucket capacity), the leaky bucket processes requests at a constant rate. The sliding window counter provides more accurate rate limiting but is more complex to implement in distributed systems. Each algorithm has its trade-offs between accuracy, implementation complexity, and resource usage.

Conclusion

The token bucket algorithm provides an elegant, efficient approach to rate limiting that balances fairness with flexibility. Its ability to handle bursts while maintaining sustained rate limits makes it the algorithm of choice for most API rate limiting scenarios.