Open Source · MIT License

Protect your API.
Every request.

Production-grade rate limiting middleware for Express.
3 algorithms. Redis-backed. Fail-open. Zero config to start.

3 Algorithms

27 Tests

0 Runtime Deps

server.ts

import express from 'express';
import { gatekeeper } from '@sibilsoren/gatekeeper';

const app = express();

// 100 requests/min per IP
app.use(gatekeeper());

// Strict auth limits
app.post('/auth/login', gatekeeper({
  limit: 5,
  window: '15m',
}));

app.listen(3000);

429 Too Many Requests

{
  "error": "Too Many Requests",
  "retryAfter": 30
}

Response Headers

X-RateLimit-Limit: 100

X-RateLimit-Remaining: 42

Retry-After: 30

Algorithms

Choose your strategy.

Three battle-tested algorithms. Pick the right one for your use case.

Default

📊

Sliding Window Counter

Prevents boundary burst attacks by weighting the previous window. Best accuracy-to-memory ratio.

Prev: 70 req

Curr: 20 req

Weighted = 70 × 75% + 20 = 72

✅ Best for most APIs 📦 2 counters/client

🪟

Fixed Window

The simplest approach. Resets the counter at each window boundary. Fast and memory-efficient.

80/100

🚫 100/100

20/100

⚡ Fastest 📦 1 counter/client

🪣

Token Bucket

Allows controlled bursts. Tokens refill at a steady rate. Perfect for API billing and throttling.

🪙 🪙 🪙 🪙 🪙 🪙

4/6 tokens · refills 2/sec

💰 Great for billing 🔀 Variable cost

Usage

From zero to protected in 30 seconds.

Install

npm install @sibilsoren/gatekeeper

For Redis support, also install ioredis

Add middleware

import { gatekeeper } from '@sibilsoren/gatekeeper';

// That's it. Zero config works.
app.use(gatekeeper());

Customize per route

// Strict for auth
app.post('/auth', gatekeeper({
  limit: 5, window: '15m'
}));

// Generous for reads
app.use('/api', gatekeeper({
  limit: 1000, window: '1m'
}));

Scale with Redis

import { RedisStore } from '@sibilsoren/gatekeeper';
import Redis from 'ioredis';

app.use(gatekeeper({
  store: new RedisStore(new Redis()),
}));

Why Gatekeeper

Built for production. Not for demos.

🛡️

Fail-Open

Redis down? Requests still flow. Your API stays up.

⚛️

Atomic Operations

Lua scripts in Redis prevent race conditions. No double-counting.

📊

Standard Headers

X-RateLimit-Limit, Remaining, Reset, and Retry-After on every response.

🎯

Flexible Keys

Rate limit by IP, API key, user ID, or any custom function.

🪶

Zero Dependencies

No runtime deps. ioredis is an optional peer dependency.

📦

Dual ESM + CJS

Works everywhere. TypeScript types included.

Configuration

Every knob you need.

Option	Type	Default	Description
`limit`	number	100	Max requests per window
`window`	string \| number	"1m"	Window size ("30s", "5m", "1h", or ms)
`algorithm`	string	"sliding-window"	"fixed-window" \| "sliding-window" \| "token-bucket"
`store`	Store	MemoryStore	Storage backend (MemoryStore or RedisStore)
`keyGenerator`	function	req.ip	Generate rate limit key from request
`skip`	function	() => false	Skip rate limiting for certain requests
`message`	string	"Too Many Requests"	Custom error message
`headers`	boolean	true	Include X-RateLimit-* headers
`capacity`	number	100	Token bucket capacity
`refillRate`	number	10	Tokens per second (token bucket)

Your API deserves better
than `express-rate-limit`.

Distributed. Atomic. Fail-open. Production-ready.