Code Room
System designMediumsd-g617
Subject Rate limiting securityLevel Mid–Senior~40 minCommon in Security · Networking & APIs · Distributed systems · Algorithms & data structures interviewsIndustries Technology

Question

Design an API rate-limiting and abuse-prevention layer for a public API gateway handling 1.5M requests/sec across 12 regions. It must enforce per-API-key, per-IP, and per-endpoint limits with multiple tiers, resist distributed credential-stuffing and scraping, and add no more than ~2ms of latency. Limits must be roughly consistent globally (a key shouldn't get 12x its quota by hitting different regions). Cover the algorithm, where counters live, and the global-vs-local consistency trade-off.

What a strong answer looks like

Clarify scale and constraints first. Propose a clean component breakdown, then go deep on the hard parts — data model, bottlenecks, consistency, failure modes — and name the trade-offs you are making.

Narrate your design
Loading whiteboard…
Run or narrate your approach, then ask the coach.