npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

redis-lua-rate-limiter

v1.0.1

Published

Distributed token-bucket rate limiter using Redis Lua scripts for Node.js/Express

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Maintainers

shubhankar7870shubhankar7870

Keywords

rate-limiterredisluatoken-bucketexpressdistributed

Readme

Redis-lua-rate-limiter

Distributed, atomic, token-bucket rate limiter for Node.js powered by Redis Lua scripts.

Works correctly across multiple Node.js instances with zero race conditions by keeping the rate-limiting logic inside Redis.

The Problem With Typical Express Rate Limiters

Most middleware like express-rate-limit:

  • Store counters in memory
  • Break when you scale to multiple servers
  • Leak requests under concurrency
  • Suffer from race conditions

This library solves that by:

Running the entire rate limiting algorithm inside Redis using Lua, executed atomically.

What is the Token Bucket Algorithm?

Token Bucket is an industry standard algorithm used by:

  • API Gateways
  • CDNs
  • Reverse Proxies
  • Cloud providers

How it works

Each user / API key / IP has a bucket:

  • Bucket has capacity (max tokens)
  • Tokens refill over time
  • Each request consumes 1 token
  • If bucket is empty → request denied

This allows:

  • Short bursts of traffic
  • Strict control of long-term rate
  • Smooth throttling instead of hard blocks

Example:

| Setting | Value | | ----------- | ----------------- | | Capacity | 10 | | Refill Rate | 5 tokens / second |

User can send 10 requests instantly, then 5 per second after.

Why Redis + Lua?

Without Lua:

GET tokens
CHECK tokens
SET tokens

This causes race conditions under concurrency.

With Lua:

All logic runs atomically inside Redis.

No race. No burst leak. Fully distributed.

Install

npm i redis-lua-rate-limiter

Basic Usage (IP based)

import express from "express";
import { createRateLimiter } from "redis-lua-rate-limiter";

const app = express();

const limiter = await createRateLimiter({
  redisUrl: "redis://localhost:6379",
  default: { capacity: 10, refillRate: 5 },
  headers: true,
});

app.use(limiter.middleware());

app.get("/", (_, res) => res.send("OK"));

app.listen(3000);

🔑 API Key Based Rate Limiting

const limiter = await createRateLimiter({
  redisUrl: "redis://localhost:6379",
  default: { capacity: 20, refillRate: 10 },

  keyGenerator: (req) => {
    const apiKey = req.headers["x-api-key"];
    if (typeof apiKey === "string") return `rate:${apiKey}`;
    return `rate:${req.ip}`;
  },
});

🛣️ Per Route Limits

const limiter = await createRateLimiter({
  redisUrl: "redis://localhost:6379",

  default: { capacity: 10, refillRate: 5 },

  routes: {
    "/login": { capacity: 3, refillRate: 1 },
    "/heavy": { capacity: 2, refillRate: 0.5 },
  },
});

📡 Rate Limit Headers

When headers: true:

X-RateLimit-Limit: 10
X-RateLimit-Remaining: 4

Similar to real API gateways.

Options Reference

createRateLimiter({
  redisUrl: string,              // required

  default: {
    capacity: number,
    refillRate: number
  },

  routes?: Record<string, {
    capacity: number,
    refillRate: number
  }>,

  keyGenerator?: (req: Request) => string,

  headers?: boolean
})

🧪 Benchmark (autocannon)

Tested under heavy concurrency:

npx autocannon -c 1000 -d 15 http://localhost:3000

Result:

160 2xx responses, 67579 non 2xx responses
69k requests in 15s
~4500 req/sec

This shows:

  • Strict enforcement
  • No race condition
  • No burst leak
  • Fully atomic behavior

Docker (for Redis)

version: "3.9"
services:
  redis:
    image: redis:7
    ports:
      - "6379:6379"

Run:

docker compose up

Architecture

Client → Express → Redis Lua → Allow / Deny

All Node instances share the same Redis logic.

Features

  • Token bucket algorithm
  • Redis Lua atomic execution
  • Works across multiple servers
  • Per IP / API key / user limiting
  • Per route limits
  • Rate limit headers
  • TypeScript support
  • Production ready

When should you use this?

  • Horizontally scaled Node.js apps
  • Microservices
  • API servers
  • Authentication endpoints
  • Public APIs

📜 License

MIT