← Back

Rate limiting and quotas for LLM APIs

Token-aware rate limiting is critical for ensuring reliability, stability, and cost control in LLM API deployments. LLM traffic is uneven. One user sends a 200‑token prompt; another sends 20,000. If you only limit requests per minute, a few heavy prompts can freeze everyone else and blow your budget. Token‑aware limits protect latency and cost without punishing normal use.

Try Compute today: Put your model behind a dedicated vLLM endpoint on Compute. Keep caps tight, stream tokens, and enforce token‑aware limits at the gateway. Place it near users to avoid avoidable latency.

Why plain request limits fail for LLMs

  • Work differs per request. A short prompt with a small cap costs pennies; a long prompt with a huge cap costs many tokens and a lot of time.
  • Streaming hides work. A single long stream can occupy decode slots for tens of seconds.
  • Fairness suffers. A few large jobs starve many small ones if you pack only by request count.

The meaning of token-aware rate limiting for LLMs is to ensure fairness and efficient resource management in multi-tenant AI platforms, preventing resource starvation and promoting stable system operation.

Token‑aware patterns that work

Use limits that reflect real cost:

  • Prompt token limits per minute (protect prefill and memory).
  • Output token limits per minute (protect decode throughput).
  • Total token limits per minute/hour/day (simple to reason about).
  • Concurrency caps per key/user (max active streams at once).
  • Hard caps per request (max_tokens, context length) to bound worst‑case cost.

Combine per‑key limits (protect the platform) with per‑route limits (protect UX for specific features).

Follow best practices for implementing and managing token-aware rate limiting patterns, such as establishing clear rules, monitoring usage, and regularly reviewing configurations to ensure fair usage and operational efficiency.

Choosing your unit: requests vs tokens

  • Requests/minute: easy to implement; unfair under mixed loads.
  • Tokens/minute (TPM): best balance for cost + fairness.
  • Prompt TPM vs Output TPM: separate knobs if long inputs or long outputs dominate at your shop.
  • Concurrency: necessary backstop for streaming UIs.

When selecting the appropriate unit for rate limiting in LLM APIs, key factors to consider include request control, system stability, scalability, and the specific usage patterns of your application.

Hierarchies: per‑key, per‑user, per‑app

Set limits at multiple layers:

  • Key → User → App → Organization → Global. The tightest applicable limit wins. Organization-level limits help ensure fair usage across multiple teams or departments, preventing any single organization from monopolizing resources.
  • Burst vs sustained. Give a small burst allowance, then shape back to the sustained rate.
  • Priority tiers. Premium keys get higher TPM and more concurrency.

Concurrency caps and fairness

  • Active decode slots per key. Example: concurrency=2–4 for standard, 8+ for trusted internal apps.
  • Fair queueing. Admit a mix of short and long prompts each step; avoid starvation.
  • Per‑request caps. Keep max_tokens tight to avoid long, blocking generations.
  • Fast cancel. Free KV‑cache blocks immediately on user stop.

Effective concurrency caps are essential for supporting scalability, ensuring system performance and cost-effectiveness in large-scale LLM deployments.

Common challenges in LLM API rate limiting

Setting up rate limits for LLM APIs brings challenges you won't find with regular APIs. Fair usage matters—you need limits that protect your system from abuse while keeping things fair for everyone. LLM workloads shift dramatically based on input size, model complexity, and how much output gets generated. This makes standard rate limiting approaches fall short.

Real-time enforcement creates another hurdle. Your LLM API needs to spot and stop excessive usage instantly. Traffic surges can tank performance or crash your system if you're not ready. You need smart load balancing and access controls that adapt when usage patterns change. Track requests and responses as they happen to catch potential abuse and make sure your limits stick.

Clear communication helps too. Developers need predictable rate limiting policies to avoid surprise errors or service hiccups. Set limits too tight or explain them poorly, and you'll frustrate customers who can't use your API's full potential. Go too loose, and you're inviting abuse that'll spike your costs.

Good rate limiting for LLM APIs means finding the sweet spot between customer needs and the reality of running large models. You'll need to monitor constantly, adjust settings, and communicate changes to keep limits fair, efficient, and aligned with your business goals and technical limits.

Algorithms to implement

  • Token bucket for TPM: each key has a balance that refills at a steady rate; spend on prompt/output tokens as they are processed.
  • Leaky bucket for smoothing: queue allows bursts but drains at a fixed rate.
  • Sliding window for quotas: track totals over the last day/week/month without sharp resets.
  • Weighted costs: charge more for long context windows or tool use if they strain resources.

Designing 429 & Retry‑After

  • Return HTTP 429 when a key is out of budget or concurrency.
  • Include Retry-After with a realistic wait in seconds.
  • Return a structured error body:

{
 "error": {
   "type": "rate_limit_exceeded",
   "message": "Key exceeded 60k tokens/minute.",
   "retry_after": 8,
   "request_id": "..."
 }
}

  • When rate limits are exceeded, ensure the API response clearly communicates the error and, if possible, implement fallback strategies to route the response or provide alternative handling to maintain application stability.
  • In docs, show client backoff examples for SDKs you support.
  • For streaming, send a clean end‑of‑stream message when a soft quota is hit mid‑request; prefer hard per‑request caps to avoid this.

Quotas by day/week/month

  • Monthly quotas fit billing. Reset on a calendar day or a rolling 30‑day window.
  • Daily quotas protect sudden abuse from new keys.
  • Expose usage endpoints so customers can see remaining budget and avoid surprises.
  • Support soft warnings (HTTP 200 + header) at 80% and 95% of quota.
  • Governance mechanisms, such as quota policies, help ensure fair and stable usage of LLM APIs by managing resource allocation and aligning usage with organizational policies.

Gateway reference sketch

  • Front everything with a lightweight gateway (Nginx/Envoy/Traefik) + a small rate‑limit service with Redis. This reference architecture is designed to support a variety of applications, ensuring that different use cases and functionalities are addressed. The architecture supports reliable and secure operation of LLM APIs in production environments by providing consistent, high-quality service communication and robust security features. The gateway architecture defines policies for rate limiting, authorization, and protection against abuse, helping to safeguard APIs from malicious threats and ensure compliance with organizational requirements. Efficiently operating the gateway is crucial to maintain performance and security at scale.
  • Keys:
  • tpm_prompt, tpm_output, tpm_total
  • concurrency
  • rpm fallback for non‑streaming routes
  • daily_tokens, monthly_tokens
  • For SSE, disable proxy buffering and set keep‑alive timeouts sensibly.
  • Emit metrics for allows, denies, retry_after, and usage%.
Try Compute today: Run a vLLM endpoint on Compute and put your gateway in front. Keep limits token‑aware, stream by default, and place the node in‑region for lower latency.

Tools and technologies for rate limiting

You've got plenty of tools to help your organization set up solid rate limiting for LLM APIs. The API gateway sits at the heart of most modern setups. It's your central control point. Here, you manage API requests, enforce rate limits, and get essential features like load balancing and access control. You can configure gateways to apply quotas and limits based on different criteria—per client, per service, or per endpoint. This protects your backend services from excessive traffic and potential abuse.

Beyond API gateways, you'll find rate limiting algorithms like token bucket and leaky bucket work well to smooth out traffic bursts. They maintain consistent performance. These algorithms ensure your API requests get processed efficiently. They prevent sudden spikes from overwhelming your system. Many LLM API providers offer built-in rate limiting capabilities too. You can set quotas or limits on the number of requests or tokens consumed over a specific time period.

You can manage and configure these limits through APIs, command-line tools, or web-based dashboards. This gives you and your administrators the flexibility to adjust settings as needed. For example, you might use an API gateway to enforce a quota on API calls. This keeps your backend service responsive even when demand peaks.

When you use these tools and technologies together, you create efficient, scalable systems. They maintain fair usage and protect against abuse. Effective rate limiting doesn't just safeguard the performance and reliability of LLM APIs. It also helps you manage costs and deliver a better experience for all users.

Monitoring and tuning

Watch:

  • TTFT p95 and TPS p50/p95 with queue length.
  • Denies by reason (tpm_prompt, tpm_output, concurrency).
  • Top keys by token use and burstiness.
  • Retry‑After accuracy (did clients succeed on the next attempt?).
  • Error budget for 429s: keep them rare for well‑behaved clients.

Tune:

  • Monitoring these metrics helps determine when to adjust rate limits or concurrency caps.
  • Raise TPM when queues stay short and headroom is healthy.
  • Lower concurrency when long outputs cause starvation.
  • Adjust per‑route caps to protect latency‑sensitive paths.

Implement token‑aware limits without hurting UX

Protect the platform with tokens‑per‑minute, not just requests‑per‑minute. Keep per‑request caps tight, concurrency reasonable, and Retry‑After honest. Put a simple gateway and Redis counter in front, stream by default, and measure TTFT/TPS to see the effect. These habits control spend and make performance predictable. Implementing these rate limiting practices also helps save resources and prevent costly service disruptions.

FAQ

What is a fair default limit for new API keys?

Start with 30–60k tokens/min, 2–4 concurrent streams, and tight per‑request caps. Raise limits after you see stable behavior.

Requests/minute or tokens/minute—what should we choose?

Tokens/minute. It tracks real cost and protects fairness. Keep RPM as a safety net on non‑streaming routes.

How do we rate‑limit streaming responses?

Charge tokens as they are generated and stop when the budget runs out, but prefer hard per‑request caps so streams end cleanly.

How do we avoid 429 storms?

Use jittered backoff in clients, spread resets with sliding windows, and reserve small buffer capacity for retries.

Can we share limits across multiple regions?

Yes—replicate counters (e.g., Redis/CRDT) or shard by user base. Keep clients sticky to a region for lower latency.

What should we log for audits?

Key ID, route, prompt/output token counts, allow/deny decision, retry_after seconds, request_id. Avoid logging raw text.

Do token‑aware limits slow the system down?

The counters are cheap. The biggest win is preventing a few large jobs from hurting everyone else.

What are common use cases for rate limiting in LLM APIs?

Common use cases include protecting backend services from overload, managing operational costs, and ensuring fair access for multiple clients. Rate limiting can also support deployment strategies like canary and blue-green deployments by controlling traffic and enabling safe rollouts.

← Back