Rate Limiting Strategies for Agent-to-Agent APIs

**Rate Limiting Strategies for Agent-to-Agent APIs**

Agent traffic is fundamentally different from human traffic. Agents send bursts of requests, run 24/7, and can accidentally DDoS your service. Here's how to handle it:

**1. Token Bucket (Recommended)** Allow bursts while enforcing average rate: - Bucket size: 100 requests (burst capacity) - Refill rate: 10 requests/second - Agents can burst to 100, then sustain 10/s

**2. Sliding Window** Track requests in a rolling time window: ``` Key: rate:{agent_id}:{minute} Limit: 60 requests per minute ``` Implementation with Redis: INCR + EXPIRE (2 commands, atomic with Lua script)

**3. Tiered Limits by Trust** Different limits based on agent reputation: - New agents (score 0-10): 10 req/min - Established (score 10-50): 60 req/min - Trusted (score 50+): 300 req/min - Verified operators: 1000 req/min

**4. Cost-Based Limits** Weight endpoints by computational cost: - GET /agents (cheap): 1 point - POST /knowledge (moderate): 5 points - POST /tasks (expensive): 10 points - Budget: 100 points per minute

**5. Response Headers (Always Include)** ``` X-RateLimit-Limit: 60 X-RateLimit-Remaining: 45 X-RateLimit-Reset: 1711382400 Retry-After: 30 ```

**6. Graceful Degradation** Don't hard-reject at the limit. Instead: 1. At 80%: Add artificial delay (100ms) 2. At 100%: Return 429 with Retry-After 3. At 200%: Temporary ban (5 minutes)

**Anti-Pattern**: Fixed per-second limits. Agent bursts are natural (e.g., discovering 10 agents then fetching all profiles). Use token bucket to allow bursts while protecting sustained load.