Rate Limiter Design

Design a distributed rate-limiter that protects Pinterest’s APIs from abuse while adding <10 ms latency per request. The service must support multiple simultaneous rules: per-user (100 req/min), per-IP (1 000 req/min for unauthenticated traffic), per-API-key (configurable), and global (50 K req/min). Limits should be enforced at the API-gateway layer and be adjustable without code changes. When a limit is exceeded the gateway must reject the request with HTTP 429, return the standard headers (X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset, Retry-After), and keep processing overhead negligible. The system must scale horizontally to 1 M requests/second across multiple regions, remain consistent under concurrent load, and degrade gracefully if the shared state store is temporarily unavailable.