Code Room
System designMedium
Question
Design an API rate-limiting and abuse-prevention layer for a public API gateway handling 1.5M requests/sec across 12 regions. It must enforce per-API-key, per-IP, and per-endpoint limits with multiple tiers, resist distributed credential-stuffing and scraping, and add no more than ~2ms of latency. Limits must be roughly consistent globally (a key shouldn't get 12x its quota by hitting different regions). Cover the algorithm, where counters live, and the global-vs-local consistency trade-off.
What a strong answer looks like
Clarify scale and constraints first. Propose a clean component breakdown, then go deep on the hard parts — data model, bottlenecks, consistency, failure modes — and name the trade-offs you are making.
Learn the concepts
Loading whiteboard…
Run or narrate your approach, then ask the coach.