Skip to content

User-Based Rate Limiting — Complete Per-User Throttling Guide

DodaTech Updated 2026-06-28 1 min read

In this tutorial, you will learn about User. We cover key concepts, practical examples, and best practices to help you master this topic.

User-based Rate Limiting applies limits per authenticated user, not per IP. This allows different quotas for different subscription tiers and avoids problems with shared IPs.

What You'll Learn

You'll learn how to implement user-based rate limits, integrate with authentication, and support tiered pricing.

Why It Matters

User-based limiting is fairer than IP-based because it accounts for actual users. It enables business models with free, pro, and enterprise tiers.

Real-World Use

Stripe API rate limits by API key (which maps to an account). Free accounts get 25 requests per second, pro accounts get 100, and enterprise accounts get custom limits.

Implementation

from flask import Flask, request, jsonify, g
import time

app = Flask(__name__)

USER_LIMITS = {
    "free": {"limit": 100, "window": 3600},
    "pro": {"limit": 10000, "window": 3600},
    "enterprise": {"limit": 100000, "window": 3600}
}

user_requests = {}

def get_user_tier():
    token = request.headers.get("Authorization")
    g.user = {"id": "user_123", "tier": "pro"}
    return g.user["tier"]

@app.route("/api/user-data")
def get_user_data():
    tier = get_user_tier()
    limits = USER_LIMITS[tier]
    user_id = g.user["id"]
    now = time.time()
    if user_id not in user_requests:
        user_requests[user_id] = []
    user_requests[user_id] = [
        t for t in user_requests[user_id] if now - t < limits["window"]
    ]
    if len(user_requests[user_id]) >= limits["limit"]:
        return jsonify({"error": "Rate limit exceeded"}), 429
    user_requests[user_id].append(now)
    return jsonify({"tier": tier, "remaining": limits["limit"] - len(user_requests[user_id])})

Common Mistakes

| Mistake | Fix | |---------|-----| | Not identifying anonymous users | Anonymous users bypass user limits | Apply IP limits for unauthenticated | | Same limits for all users | Cannot monetize tiers | Differentiate limits by subscription | | No burst allowance | Users hit limit exactly | Add small burst buffer | | User limits without auth | Anyone can claim any user ID | Always authenticate before user-based limiting |

What's Next

Learn about endpoint-based rate limiting.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro