Mastering Rate Limiting in Laravel: Secure Routes and Manual Action Control

Prerequisites

To follow this guide, you should have a baseline understanding of the following:

• PHP 8.x and Laravel fundamentals.
• Working knowledge of Middleware and Service Providers.
• Experience with Composer for package management.

Key Libraries & Tools

• RateLimiter Facade: The core interface for manually checking and incrementing attempts.
• Limit Class: A helper used to define the frequency and duration of restrictions.
• Throttle Middleware: The standard bridge for applying rate limits directly to routes.
• PHPStorm & Laravel Idea: Recommended developer tools for auto-completing limiter keys and middleware strings.

Code Walkthrough: Route-Based Throttling

First, define the limiter in your AppServiceProvider. This logic centralizes how you identify users—typically by their ID or IP address.

use Illuminate\Cache\RateLimiting\Limit;
use Illuminate\Support\Facades\RateLimiter;

RateLimiter::for('weather', function (Request $request) {
    return $request->user()
        ? Limit::perMinute(10)->by($request->user()->id)
        : Limit::perMinute(5)->by($request->ip());
});

Apply this to your routes using the throttle middleware:

Route::get('/weather', [WeatherController::class, 'show'])
    ->middleware('throttle:weather');

Manual Action Limiting

For actions that aren't tied to a specific route, use the RateLimiter facade directly. This is perfect for "pay-per-use" features like AI transcript generation.

$key = 'transcript:' . $request->ip();

if (RateLimiter::tooManyAttempts($key, 5)) {
    return response('Too many attempts! 🛑', 429);
}

// Perform the expensive logic here

RateLimiter::increment($key);

Syntax Notes

• Dynamic Limits: You can return different Limit objects based on user roles or subscription tiers inside the for closure.
• Grouping Keys: Always include a unique identifier (like $request->ip()) in your key to avoid blocking all users globally.
• Clearance: Use php artisan cache:clear during development to reset your attempt counters for testing.

Practical Examples

• API Monetization: Granting 100 requests/hour to free users and 5,000 to premium users.
• Credit Systems: Incrementing the limiter by a specific "weight" (e.g., RateLimiter::increment($key, 5)) for heavy operations while light tasks only increment by one.

Tips & Gotchas

• Cache Dependency: Rate limiting relies on your cache driver. If your cache is down or set to array, limits won't persist across requests.
• Response Codes: Always return a 429 Too Many Requests status code to follow REST best practices.
• Atomic Increments: Use the increment method rather than manually tracking hits to avoid race conditions.