Capping the number of requests a client can make per time window, the universal defense against abuse and accidental load.
Rate limiting is the discipline of capping how many requests a client (a user, a token, an IP) can make per time window: 100 per minute, 1000 per hour, 10K per day. Common algorithms include token bucket (smooth bursts), leaky bucket (drain at constant rate), and sliding window (precise count). Rate limits are enforced at the API gateway, the WAF, the application, or all three. The right limit balances 'high enough that legitimate users never hit it' with 'low enough that abuse can't matter.'
Most public APIs eventually face accidental DDoS from a buggy client with a tight retry loop, or intentional DDoS from someone testing your defenses. Rate limits convert both into bounded events, the bad client hits 429, the platform stays up, the on-call doesn't get paged. Proper rate-limit headers (X-RateLimit-Remaining, Retry-After) also make the limits debuggable for legitimate clients.
See the part of the platform that handles rate limiting in production.