PSR-15 middleware for rate limiting API or other application endpoints.

2.0.0 2021-10-31 11:27 UTC

This package is auto-updated.

Last update: 2022-07-29 01:49:16 UTC


Build Status Scrutinizer Code Quality Code Coverage Latest Stable Version PDS Skeleton

PSR-15 middleware for rate limiting API or other application endpoints. Sits on top of general purpose Rate Limiter.


The preferred method of installation is via Composer. Run the following command to install the latest version of a package and add it to your project's composer.json:

composer require nikolaposa/rate-limit-middleware


Rate Limit middleware is designed to be used per route, so that you can set up a rate limiting strategies for each individual endpoint or group of endpoints. This is accomplished through a mechanism for composing middleware known as piping.

Full example

Following examples demonstrate how RateLimitMiddleware can be used in a Mezzio-based application, but the same principle applies to any middleware framework.


use Laminas\Diactoros\Response\JsonResponse;
use Psr\Container\ContainerInterface;
use Psr\Http\Message\ResponseInterface;
use Psr\Http\Message\ServerRequestInterface;
use Psr\Http\Server\RequestHandlerInterface;
use RateLimit\Middleware\RateLimitMiddleware;
use RateLimit\Middleware\ResolveIpAddressAsUserIdentity;
use RateLimit\Middleware\ResolveUserIdentity;
use RateLimit\Rate;
use RateLimit\RateLimiter;
use RateLimit\RedisRateLimiter;

return [
    'dependencies' => [
        'invokables' => [
            ResolveUserIdentity::class => ResolveIpAddressAsUserIdentity::class,
        'factories'  => [
            'RateLimit\\Strategy\\Api' => function (ContainerInterface $container) {
                return new RedisRateLimiter(Rate::perSecond(5), $container->get(Redis::class), 'rate_limit:api:');
            'RateLimit\\Strategy\\CreatePost' => function (ContainerInterface $container) {
                return new RedisRateLimiter(Rate::perDay(20), $container->get(Redis::class), 'rate_limit:web:post');
            // default limit exceeded handler; anonymous class is used only for the sake 
            // of simplicity of the example
            'RateLimit\\LimitExceededRequestHandler' => function () {
                return new class implements RequestHandlerInterface {
                    public function handle(ServerRequestInterface $request): ResponseInterface
                        return new JsonResponse(['error' => 'Too many requests']);
            // rate limit middleware for different endpoints
            'RateLimit\\ApiRateLimitMiddleware' => function (ContainerInterface $container) {
                return new RateLimitMiddleware(
            'RateLimit\\CreatePostRateLimitMiddleware' => function (ContainerInterface $container) {
                return new RateLimitMiddleware(


$app->get('/', App\Handler\HomePageHandler::class, 'home');

$app->get('/posts', [
], 'post.list');
$app->post('/posts', [
], 'post.create');
$app->put('/posts/:id', App\Handler\UpdatePostHandler::class, 'post.edit');

$app->route('/api/resource[/{id:[a-f0-9]{32}}]', [
], ['GET', 'POST', 'PATCH', 'DELETE'], 'api-resource');



Released under MIT License - see the License File for details.