Design a distributed rate limiter that caps how many requests a client (API key / IP) can make per time window.
How to approach it
Turn the open-ended prompt into a concrete contract. Separate functional requirements (what the system does) from non-functional ones (latency, availability, consistency, scale), and state non-goals so you do not overbuild. Ask one or two clarifying questions that actually change the design — read/write ratio, scale, and consistency needs are usually the highest-leverage.
Functional requirements
- Allow N requests per window per client
- Return 429 when over the limit
- Work across many app servers
- Configurable limits per route/tier
Non-functional requirements
- Adds < 5ms to each request
- Accurate enough under bursts
- Fails open or closed by policy
- Horizontally scalable
Out of scope
- Billing/metering
- Per-user analytics dashboards
Tip
First clarifying question — Hard limit or smoothed? And is a small overshoot acceptable for lower latency?