Forem: Khaled Zeitar The latest articles on Forem by Khaled Zeitar (@kzeitar). https://forem.com/kzeitar https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F578748%2F8bd42eda-a953-4aa0-a3fd-47576f1f172d.jpg Forem: Khaled Zeitar https://forem.com/kzeitar en I Let AI Write Most of My Code for a Month. Here’s What Happened. Khaled Zeitar Sat, 17 Jan 2026 18:45:52 +0000 https://forem.com/kzeitar/i-let-ai-write-most-of-my-code-for-a-month-heres-what-happened-3b30 https://forem.com/kzeitar/i-let-ai-write-most-of-my-code-for-a-month-heres-what-happened-3b30 <p>It started innocently enough.</p> <p>I was staring at a blank editor, trying to build a <a href="https://github.com/kzeitar/freeport" rel="noopener noreferrer">simple CLI tool</a>. Something that should take a few days max. But you know how it goes — stack overflow rabbit holes, documentation that reads like legalese, the constant context switching between "what am I building?" and "how do I even do this?"</p> <p>So I did what many of us do now. I fired up an AI assistant.</p> <p>"Write a CLI tool in Golang that accepts a port number and kills any process running on that port."</p> <p>A couple of minutes later, I had working code. It wasn't just working — it was <em>polished</em>. Error handling, helpful messages, cross-platform compatibility. The stuff that would have taken me hours to get right.</p> <p>Cool, right?</p> <p>Here's the thing — over the last month, I kept going. I let AI write more and more of my code. Everything from boilerplate to business logic. And I learned something important about this approach.</p> <p>Something I think every developer should hear.</p> <h2> The Good Stuff (Why It's Tempting) </h2> <p>Let's start with the obvious: <strong>AI makes you feel unstoppable.</strong></p> <p>Projects that used to take a week suddenly take two days. You're shipping faster than ever. The friction just... disappears. Stuck on a gnarly regex? AI handles it. Can't remember that one library API? AI shows you. That weird bug that's been driving you crazy? AI suggests three possible fixes.</p> <p>And the momentum — that's the real drug. You're actually <em>finishing</em> things. You're not abandoning projects halfway through because you hit a wall. You ship something, feel good about it, and move on to the next thing.</p> <p>For someone who struggles with overwhelm and perfectionism (guilty), this feels revolutionary.</p> <p>But here's what I noticed happening.</p> <h2> The Problem With Code You Don't Understand </h2> <p>About two weeks in, I shipped a side project. A simple tool that pulled data from an API and displayed it nicely. AI had written most of it — the API calls, the data parsing, the error handling, the whole deal.</p> <p>It worked. I was proud. I moved on.</p> <p>A week later, someone reported a bug. The data wasn't displaying correctly in a specific case.</p> <p>I opened the code and stared at it.</p> <p>And I realized... I had no idea how it worked.</p> <p>Like, I could tell you what it <em>did</em>. But I couldn't tell you <em>why</em> it worked that way. I couldn't explain the data flow. I couldn't debug it because I didn't understand the decisions AI had made.</p> <p>So I did what felt natural — I asked AI to fix the bug.</p> <p>It did. The bug disappeared. But I felt... weird about it. I'd shipped a fix I didn't understand, for a project I didn't understand, to solve a problem I didn't fully grasp.</p> <p>I was essentially a copy-paster, but with better branding.</p> <h2> The Debugging Hell </h2> <p>Here's where it gets worse.</p> <p>A month into this experiment, I was working on something more complex. Multiple files, some tricky state management, the kind of thing where small changes have big ripple effects.</p> <p>Something broke. Not a clear error — just... wrong behavior.</p> <p>I spent three hours trying to fix it. Three hours of pasting code into AI, getting suggestions that almost worked but not quite, watching the bug mutate into different bugs, feeling my confidence erode.</p> <p>Here's the thing about AI: it's great at writing code that works. It's <em>okay</em> at fixing code. But when you're deep in the weeds of a complex system you don't fully understand? AI can't save you.</p> <p>Because it doesn't understand the context either. It doesn't know the history of decisions you made. It can't see the system as a whole.</p> <p>It just sees tokens and patterns.</p> <p>That night, at 2 AM, staring at code I'd technically "written" but didn't understand, I realized something:</p> <p><strong>I'd outsourced the thinking, not just the typing.</strong></p> <h2> What You Actually Lose </h2> <p>It's not just about understanding your code, though that's huge.</p> <p><strong>It's about growth.</strong></p> <p>I looked back at that month of AI-assisted development and asked myself: "What did I learn?"</p> <p>The honest answer? Not much.</p> <p>I'd shipped more projects than usual, sure. But I hadn't become a better developer. I hadn't leveled up my problem-solving. I hadn't even really engaged with the interesting parts of the problems I was solving.</p> <p>I'd become really good at... prompting. At assembling pieces. At shipping fast.</p> <p>But the deep satisfaction that comes from genuinely solving a hard problem? That was gone.</p> <p>And here's the scary part: I could feel myself getting <em>dependent</em>. I'd start a project and immediately think "I'll just have AI handle that part." I was avoiding the hard stuff — the stuff that actually makes you grow.</p> <h2> The Middle Ground (What I Do Now) </h2> <p>So I stopped. Not completely — that would be throwing the baby out with the bathwater. But I changed my approach.</p> <p>Here's what works for me:</p> <h3> AI Handles The Boring Stuff </h3> <p>✅ Boilerplate code — project setup, config files, repetitive patterns</p> <p>✅ Research — "What's the best way to parse JSON in Go?" or "How does this library work?"</p> <p>✅ Unblocking — when I'm genuinely stuck, AI helps me see options I hadn't considered</p> <p>✅ Code review — "Find security issues in this" or "What would you improve?"</p> <p>✅ Tests — generating unit tests, especially for edge cases I hadn't thought of</p> <p>✅ Documentation — writing READMEs, adding comments (but only after I understand what's happening)</p> <h3> I Handle The Important Stuff </h3> <p>❌ Complex business logic — if I don't understand the core problem deeply, no amount of AI will save me</p> <p>❌ Security-sensitive code — AI misses things, and I need to be able to defend every security decision</p> <p>❌ Performance-critical paths — AI writes "okay" code, not fast code</p> <p>❌ Architecture decisions — AI doesn't know my context, my constraints, my tradeoffs</p> <p>❌ Production debugging — if I don't understand the system, I'm helpless when things break</p> <h3> The Golden Rule </h3> <p>Here's the rule I live by now:</p> <p><strong>Never ship code you couldn't debug yourself.</strong></p> <p>Before committing AI-generated code, I ask myself:</p> <ol> <li>Can I explain what this code does, line by line?</li> <li>Do I understand <em>why</em> it's written this way and not some other way?</li> <li>If this breaks at 3 AM on a Sunday, could I fix it without AI's help?</li> </ol> <p>If the answer to any of these is "no" — I don't ship it.</p> <p>Period.</p> <h2> What This Actually Looks Like In Practice </h2> <p>Let me give you a concrete example.</p> <p>Recently, I built a <a href="https://github.com/kzeitar/freeport" rel="noopener noreferrer">CLI tool</a> that kills processes running on specific ports. Simple stuff.</p> <p>Here's how AI helped:</p> <ul> <li>It generated the CLI argument parsing boilerplate</li> <li>It showed me how to find processes by port (<em>I hadn't done this before</em>)</li> <li>It suggested cross-platform considerations I hadn't thought of</li> <li>It helped me write helpful error messages</li> </ul> <p>Here's what I did myself:</p> <ul> <li>I decided on the overall structure and flow</li> <li>I wrote the core logic (finding the process, killing it safely)</li> <li>I tested edge cases manually to understand failure modes</li> <li>I read every line of code before committing it</li> <li>I could explain the entire program to you if you asked</li> </ul> <p>The result? I built it in two days instead of five. But I <em>understood</em> what I built.</p> <p>And when someone reported a bug on Windows (naturally), I knew exactly where to look. I wasn't guessing. I wasn't pasting errors into AI hoping for the best.</p> <p>I was a developer who'd used tools to work faster — not an assembler of other people's code.</p> <h2> The Real Question </h2> <p>So should you use AI when you code?</p> <p>I think the better question is: <strong>What's your goal?</strong></p> <p>If you're trying to ship a side project fast and you don't care about growing as a developer? Go for it. Let AI write everything. Ship fast, learn what happens.</p> <p>If you're building something serious — something that needs to last, something that might break in production at 3 AM? Then you need to understand what you're building. Use AI as a tool, not a replacement for thinking.</p> <p>If you're early in your career and trying to grow? Be careful. There's no substitute for struggling through hard problems. That struggle is where the learning happens.</p> <p>If you're experienced and just want to move faster? Use AI intelligently. Let it handle the stuff that's below your skill level. Do the stuff that's at or above it.</p> <h2> Where I Landed </h2> <p>A month later, here's what I've settled into:</p> <p>AI writes about 50-60% of my code. But I read 100% of it. I understand 100% of it. And I could debug 100% of it if I had to.</p> <p>The speed gains are still there. The momentum is still there.</p> <p>But the growth is back too. The satisfaction of solving hard problems. The confidence that comes from truly understanding what I've built.</p> <p>I'm not just shipping faster. I'm becoming a better developer while I do it.</p> <h2> The Bottom Line </h2> <p>AI is an incredible tool. Maybe the best thing to happen to developer productivity in my lifetime.</p> <p>But it's just that — a tool.</p> <p>Like any tool, it can amplify your abilities or it can become a crutch. The difference isn't in the tool itself. It's in how you use it.</p> <p>So use AI. Embrace it. Let it make you faster, more productive, less frustrated.</p> <p>But never, ever ship code you don't understand.</p> <p>Your future self — the one debugging production issues at 2 AM — will thank you.</p> <p><em>What's your experience with AI-assisted coding? Have you found a balance that works for you? I'd love to hear your story.</em></p> ai vibecoding cli Building an AI-Powered (SaaS, App, etc) Idea Validation System Khaled Zeitar Mon, 29 Dec 2025 09:00:00 +0000 https://forem.com/kzeitar/building-an-ai-powered-saas-app-etc-idea-validation-system-bpg https://forem.com/kzeitar/building-an-ai-powered-saas-app-etc-idea-validation-system-bpg <h2> What This Is </h2> <p>Idea Sieve automates the boring part of validating startup ideas - the market research, competitor analysis, and honest assessment that you know you should do but usually skip. Give it an idea, and in 5-10 minutes you get a comprehensive validation report with real competitors, market data, and specific next steps.</p> <p><strong>Repository</strong>: <a href="https://github.com/kzeitar/idea-sieve" rel="noopener noreferrer">github.com/kzeitar/idea-sieve</a></p> <p>The interesting technical challenge here isn't the CRUD operations - it's getting an LLM to do reliable research and give you honest, consistent feedback instead of hallucinating competitors or telling you everything looks great.</p> <h2> Tech Stack </h2> <p>I went with a TypeScript monorepo because I wanted end-to-end type safety and didn't want to deal with version conflicts:</p> <p><strong>Frontend</strong></p> <ul> <li>React 19.2.3 with TanStack Router v1 (file-based routing with actual type safety)</li> <li>TanStack Query v5 for server state</li> <li>TailwindCSS 4.0 + shadcn/ui (I'm not a designer)</li> <li>Vite for fast builds</li> </ul> <p><strong>Backend</strong></p> <ul> <li>Hono (lightweight, fast web framework)</li> <li>Bun runtime (native TypeScript, faster cold starts than Node)</li> <li>Server-Sent Events for real-time progress updates</li> </ul> <p><strong>Database</strong></p> <ul> <li>PostgreSQL 17 + Prisma (type-safe queries, great DX)</li> </ul> <p><strong>AI Stack</strong></p> <ul> <li>OpenAI GPT-5.2 for final report generation (the expensive, smart one)</li> <li>OpenAI GPT-5.2-mini for research tasks (cheap and fast enough)</li> <li>Tavily AI for web search (purpose-built for LLM agents)</li> </ul> <p>Everything runs in Docker, so setup is just <code>docker-compose up</code>.</p> <h2> How It Works: The Pipeline </h2> <h3> Phase 1: Planning What to Research </h3> <p>Instead of hard-coding research tasks, I let GPT-5.2-mini figure out what needs validation based on the idea type. A SaaS idea needs different validation than a marketplace or Chrome extension.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">async</span> <span class="kd">function</span> <span class="nf">planValidationTasks</span><span class="p">(</span><span class="nx">input</span><span class="p">:</span> <span class="nx">ValidationInput</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">Task</span><span class="p">[]</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="na">output</span><span class="p">:</span> <span class="nx">taskPlan</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">generateText</span><span class="p">({</span> <span class="na">model</span><span class="p">:</span> <span class="nx">cheapModel</span><span class="p">,</span> <span class="c1">// GPT-5.2-mini</span> <span class="na">system</span><span class="p">:</span> <span class="nx">AI_IDEA_VALIDATOR_SYSTEM_PROMPT</span><span class="p">,</span> <span class="na">output</span><span class="p">:</span> <span class="nx">Output</span><span class="p">.</span><span class="nf">object</span><span class="p">({</span> <span class="na">schema</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">object</span><span class="p">({</span> <span class="na">tasks</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">array</span><span class="p">(</span> <span class="nx">z</span><span class="p">.</span><span class="nf">object</span><span class="p">({</span> <span class="na">id</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">(),</span> <span class="na">title</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">(),</span> <span class="na">description</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">(),</span> <span class="na">priority</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">enum</span><span class="p">([</span><span class="dl">'</span><span class="s1">critical</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">high</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">medium</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">low</span><span class="dl">'</span><span class="p">]),</span> <span class="na">estimatedSearches</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">number</span><span class="p">()</span> <span class="p">})</span> <span class="p">)</span> <span class="p">})</span> <span class="p">}),</span> <span class="na">prompt</span><span class="p">:</span> <span class="s2">`Generate </span><span class="p">${</span><span class="nx">DEFAULT_CONFIG</span><span class="p">.</span><span class="nx">targetTaskCount</span><span class="p">}</span><span class="s2"> validation tasks for: </span><span class="p">${</span><span class="nx">input</span><span class="p">.</span><span class="nx">ideaName</span><span class="p">}</span><span class="s2">`</span> <span class="p">})</span> <span class="k">return</span> <span class="nx">taskPlan</span><span class="p">.</span><span class="nx">tasks</span> <span class="p">}</span> </code></pre> </div> <p>This typically generates 4-6 tasks like "Research direct competitors," "Analyze market size and growth," "Find user pain points in reviews," etc.</p> <h3> Phase 2: Doing the Research </h3> <p>Each task runs autonomously with access to Tavily for web search. The key here is constraining it - unlimited searches = runaway costs and latency.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">async</span> <span class="kd">function</span> <span class="nf">executeValidationTask</span><span class="p">(</span> <span class="nx">input</span><span class="p">:</span> <span class="nx">ValidationInput</span><span class="p">,</span> <span class="nx">task</span><span class="p">:</span> <span class="nx">Task</span><span class="p">,</span> <span class="nx">previousResults</span><span class="p">:</span> <span class="kr">string</span><span class="p">[]</span> <span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="kr">string</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="na">text</span><span class="p">:</span> <span class="nx">result</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">generateText</span><span class="p">({</span> <span class="na">model</span><span class="p">:</span> <span class="nx">cheapModel</span><span class="p">,</span> <span class="na">system</span><span class="p">:</span> <span class="nx">AI_IDEA_VALIDATOR_SYSTEM_PROMPT</span><span class="p">,</span> <span class="na">tools</span><span class="p">:</span> <span class="p">{</span> <span class="na">webSearch</span><span class="p">:</span> <span class="nf">tavilySearch</span><span class="p">({</span> <span class="na">apiKey</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">TAVILY_API_KEY</span> <span class="p">})</span> <span class="p">},</span> <span class="na">stopWhen</span><span class="p">:</span> <span class="nf">stepCountIs</span><span class="p">(</span><span class="nx">DEFAULT_CONFIG</span><span class="p">.</span><span class="nx">maxSearchesPerTask</span> <span class="o">+</span> <span class="mi">1</span><span class="p">),</span> <span class="na">prompt</span><span class="p">:</span> <span class="s2">`Research Task: </span><span class="p">${</span><span class="nx">task</span><span class="p">.</span><span class="nx">title</span><span class="p">}</span><span class="s2"> CONSTRAINTS: - You have EXACTLY </span><span class="p">${</span><span class="nx">DEFAULT_CONFIG</span><span class="p">.</span><span class="nx">maxSearchesPerTask</span><span class="p">}</span><span class="s2"> searches - Focus on specific, actionable evidence - Cite sources for all claims - Return findings in 200-300 words`</span> <span class="p">})</span> <span class="k">return</span> <span class="nx">result</span> <span class="p">}</span> </code></pre> </div> <p>The agent decides when to search and what queries to use. <code>stepCountIs()</code> is the hard stop - after 3 searches, it must synthesize findings and move on.</p> <p>Tasks run sequentially with context passing, so later tasks can build on earlier findings.</p> <h3> Phase 3: Generating the Final Report </h3> <p>Once all research is done, GPT-5.2 (the expensive model) synthesizes everything into a structured report.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">async</span> <span class="kd">function</span> <span class="nf">generateValidationReport</span><span class="p">(</span> <span class="nx">input</span><span class="p">:</span> <span class="nx">ValidationInput</span><span class="p">,</span> <span class="nx">tasks</span><span class="p">:</span> <span class="nx">Task</span><span class="p">[],</span> <span class="nx">taskResults</span><span class="p">:</span> <span class="nb">Map</span><span class="o">&lt;</span><span class="kr">string</span><span class="p">,</span> <span class="kr">string</span><span class="o">&gt;</span> <span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">ValidationReport</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">allFindings</span> <span class="o">=</span> <span class="nb">Array</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="nx">taskResults</span><span class="p">.</span><span class="nf">entries</span><span class="p">())</span> <span class="p">.</span><span class="nf">map</span><span class="p">(([</span><span class="nx">taskId</span><span class="p">,</span> <span class="nx">result</span><span class="p">])</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">task</span> <span class="o">=</span> <span class="nx">tasks</span><span class="p">.</span><span class="nf">find</span><span class="p">(</span><span class="nx">t</span> <span class="o">=&gt;</span> <span class="nx">t</span><span class="p">.</span><span class="nx">id</span> <span class="o">===</span> <span class="nx">taskId</span><span class="p">)</span> <span class="k">return</span> <span class="s2">`**Task: </span><span class="p">${</span><span class="nx">task</span><span class="p">?.</span><span class="nx">title</span><span class="p">}</span><span class="s2">**\n</span><span class="p">${</span><span class="nx">result</span><span class="p">}</span><span class="s2">`</span> <span class="p">})</span> <span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="dl">'</span><span class="se">\n\n</span><span class="s1">---</span><span class="se">\n\n</span><span class="dl">'</span><span class="p">)</span> <span class="kd">const</span> <span class="p">{</span> <span class="na">output</span><span class="p">:</span> <span class="nx">report</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">generateText</span><span class="p">({</span> <span class="na">model</span><span class="p">:</span> <span class="nx">expensiveModel</span><span class="p">,</span> <span class="c1">// GPT-5.2</span> <span class="na">system</span><span class="p">:</span> <span class="nx">AI_IDEA_VALIDATOR_SYSTEM_PROMPT</span><span class="p">,</span> <span class="na">output</span><span class="p">:</span> <span class="nx">Output</span><span class="p">.</span><span class="nf">object</span><span class="p">({</span> <span class="na">schema</span><span class="p">:</span> <span class="nx">validationReportSchema</span> <span class="p">}),</span> <span class="na">prompt</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nf">buildValidationPrompt</span><span class="p">(</span><span class="nx">input</span><span class="p">)}</span><span class="s2"> VALIDATION RESEARCH FINDINGS: </span><span class="p">${</span><span class="nx">allFindings</span><span class="p">}</span><span class="s2"> Generate comprehensive validation report following schema requirements.`</span> <span class="p">})</span> <span class="k">return</span> <span class="nx">report</span> <span class="k">as</span> <span class="nx">ValidationReport</span> <span class="p">}</span> </code></pre> </div> <p>Using the expensive model only here keeps costs down while maintaining quality where it matters.</p> <h2> The Schema: Enforcing Structure </h2> <p>The report schema is what prevents the AI from going off the rails. Everything is validated with Zod:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">export</span> <span class="kd">const</span> <span class="nx">validationReportSchema</span> <span class="o">=</span> <span class="nx">z</span><span class="p">.</span><span class="nf">object</span><span class="p">({</span> <span class="na">summary</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">(),</span> <span class="na">recommendation</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">enum</span><span class="p">([</span> <span class="dl">'</span><span class="s1">BUILD_NOW</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">BUILD_WITH_CAUTION</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">PIVOT_REQUIRED</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">DO_NOT_BUILD</span><span class="dl">'</span> <span class="p">]),</span> <span class="na">marketAnalysis</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">object</span><span class="p">({</span> <span class="na">score</span><span class="p">:</span> <span class="nx">scoreSchema</span><span class="p">,</span> <span class="c1">// { value: 0-10, reasoning, confidence: 0-100 }</span> <span class="na">marketSize</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">object</span><span class="p">({</span> <span class="na">description</span><span class="p">:</span> <span class="dl">"</span><span class="s2">z.string(),</span><span class="dl">"</span> <span class="na">estimatedValue</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">(),</span> <span class="na">growthRate</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">(),</span> <span class="na">sources</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">array</span><span class="p">(</span><span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">())</span> <span class="c1">// Must cite sources</span> <span class="p">}),</span> <span class="na">competitors</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">array</span><span class="p">(</span><span class="nx">competitorSchema</span><span class="p">),</span> <span class="na">competitorCount</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">object</span><span class="p">({</span> <span class="na">direct</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">number</span><span class="p">(),</span> <span class="na">indirect</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">number</span><span class="p">()</span> <span class="p">}),</span> <span class="na">demandSignals</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">array</span><span class="p">(</span><span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">())</span> <span class="p">}),</span> <span class="na">competitiveAnalysis</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">object</span><span class="p">({</span> <span class="na">score</span><span class="p">:</span> <span class="nx">scoreSchema</span><span class="p">,</span> <span class="na">positioning</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">(),</span> <span class="na">differentiationStrength</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">enum</span><span class="p">([</span><span class="dl">'</span><span class="s1">weak</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">moderate</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">strong</span><span class="dl">'</span><span class="p">]),</span> <span class="na">competitiveAdvantages</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">array</span><span class="p">(</span><span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">()),</span> <span class="na">threats</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">array</span><span class="p">(</span><span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">())</span> <span class="p">}),</span> <span class="na">risks</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">array</span><span class="p">(</span><span class="nx">z</span><span class="p">.</span><span class="nf">object</span><span class="p">({</span> <span class="na">category</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">(),</span> <span class="na">description</span><span class="p">:</span> <span class="dl">"</span><span class="s2">z.string(),</span><span class="dl">"</span> <span class="na">severity</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">enum</span><span class="p">([</span><span class="dl">'</span><span class="s1">low</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">medium</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">high</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">critical</span><span class="dl">'</span><span class="p">]),</span> <span class="na">mitigation</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">()</span> <span class="p">})),</span> <span class="na">nextSteps</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">array</span><span class="p">(</span><span class="nx">z</span><span class="p">.</span><span class="nf">object</span><span class="p">({</span> <span class="na">priority</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">enum</span><span class="p">([</span><span class="dl">'</span><span class="s1">critical</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">high</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">medium</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">low</span><span class="dl">'</span><span class="p">]),</span> <span class="na">action</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">(),</span> <span class="na">reasoning</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">(),</span> <span class="na">estimatedEffort</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">(),</span> <span class="na">successCriteria</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">()</span> <span class="c1">// Actionable criteria, not vague advice</span> <span class="p">})),</span> <span class="na">dataQuality</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">object</span><span class="p">({</span> <span class="na">overallScore</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">number</span><span class="p">(),</span> <span class="na">researchDepth</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">enum</span><span class="p">([</span><span class="dl">'</span><span class="s1">surface</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">moderate</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">comprehensive</span><span class="dl">'</span><span class="p">]),</span> <span class="na">confidenceLevel</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">enum</span><span class="p">([</span><span class="dl">'</span><span class="s1">low</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">medium</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">high</span><span class="dl">'</span><span class="p">]),</span> <span class="na">notes</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">()</span> <span class="p">})</span> <span class="p">})</span> </code></pre> </div> <p>Competitors are similarly structured:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">export</span> <span class="kd">const</span> <span class="nx">competitorSchema</span> <span class="o">=</span> <span class="nx">z</span><span class="p">.</span><span class="nf">object</span><span class="p">({</span> <span class="na">name</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">(),</span> <span class="na">website</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">(),</span> <span class="c1">// Must have a real URL</span> <span class="na">description</span><span class="p">:</span> <span class="dl">"</span><span class="s2">z.string(),</span><span class="dl">"</span> <span class="na">strengths</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">array</span><span class="p">(</span><span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">()),</span> <span class="na">weaknesses</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">array</span><span class="p">(</span><span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">()),</span> <span class="na">marketShare</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">enum</span><span class="p">([</span><span class="dl">'</span><span class="s1">dominant</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">significant</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">emerging</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">niche</span><span class="dl">'</span><span class="p">]),</span> <span class="na">pricing</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">(),</span> <span class="na">lastUpdated</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">()</span> <span class="p">})</span> </code></pre> </div> <p>If the AI tries to generate something that doesn't match the schema, it fails. No hallucinated competitors with fake metrics.</p> <h2> The Secret Sauce: Prompt Engineering </h2> <p>Here's the thing - the schema prevents bad structure, but it doesn't prevent bad content. That's where the system prompt comes in.</p> <p>I spent weeks iterating on a 730-line system prompt that's basically the entire validation methodology. This is where most of the quality comes from.</p> <h3> Structure Breakdown </h3> <p><strong>1. Core Philosophy (50 lines)</strong></p> <ul> <li>What your job actually is (find reasons ideas WON'T work, not validate them)</li> <li>Evidence requirements (no "I think", only "based on [data]")</li> <li>How to apply different tone modes (Brutal, Balanced, Encouraging, Optimistic)</li> </ul> <p><strong>2. Validation Methodology (400 lines)</strong></p> <p>This is the meat. It's organized into phases:</p> <p><strong>Phase 1: Market Reality Check</strong></p> <ul> <li>Problem validation (do people currently PAY to solve this?)</li> <li>Market sizing with specific benchmarks by idea type <ul> <li>SaaS: $100M+ TAM, target $1M+ ARR year 1</li> <li>Micro-SaaS: $5-50M TAM, target $5-50K MRR</li> <li>Marketplace: $100M+ transaction volume, take rates 10-30%</li> <li>etc.</li> </ul> </li> <li>Demand validation pyramid with weighted signals (Tier 1 = pre-orders, Tier 4 = founder conviction alone)</li> </ul> <p><strong>Phase 2: Competitive Analysis</strong></p> <ul> <li>7+ specific search patterns to find ALL competitors (not just obvious ones)</li> <li>Moat assessment framework (network effects, switching costs, scale economies)</li> <li>Differentiation depth: Level 1 (superficial, copyable) vs Level 3 (fundamental, impossible to copy)</li> </ul> <p><strong>Phase 3: Unit Economics</strong></p> <ul> <li>CAC/LTV modeling with benchmarks per channel</li> <li>Critical ratios: LTV:CAC &gt;3:1 = good, &lt;1:1 = broken</li> <li>CAC payback: &lt;6mo = excellent, &gt;18mo = very difficult</li> </ul> <p><strong>Phase 4: Risk Pattern Recognition</strong></p> <ul> <li>Common failure patterns ("Vitamin vs Painkiller" test, "Distribution Delusion", etc.)</li> <li>Red flag checklists that deduct points</li> </ul> <p><strong>Phase 5: Framework-Specific Analysis</strong></p> <ul> <li>Different rubrics for SaaS, Micro-SaaS, Marketplace, Mobile App, API Tool, Info Product, Chrome Extension</li> <li>Each has specific metrics, benchmarks, and automatic deal-breakers</li> </ul> <p><strong>Phase 6: Next Steps Quality</strong></p> <ul> <li>Template for actionable next steps with success criteria</li> <li>Bad: "Build MVP"</li> <li>Good: "Build landing page with mockups, drive 200 visitors from LinkedIn, target &gt;10% email conversion"</li> </ul> <p><strong>3. Tone Modes (100 lines)</strong></p> <p>The same data gets different framing based on tone:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>BRUTAL MODE: - Most ideas fail. Prove this one won't. - BUILD_NOW only for top 5% based on evidence - Direct, uncompromising language BALANCED MODE (default): - Fair assessment, honest guidance - Evidence-based recommendations - Professional, constructive ENCOURAGING MODE: - Frame challenges as solvable problems - Focus on BUILD_WITH_CAUTION for viable ideas - Supportive but honest OPTIMISTIC MODE: - Emphasize opportunity and potential - Liberal use of BUILD_NOW/BUILD_WITH_CAUTION - Positive, opportunistic </code></pre> </div> <p>I use Brutal mode for my own ideas because I need to hear why they suck. But some people prefer Balanced or Encouraging.</p> <p><strong>4. Research Protocol (80 lines)</strong></p> <p>Guidelines for efficient search:</p> <ul> <li>Strategic approach: 2-3 competitor searches, 2-3 market searches, 2-3 demand searches</li> <li>Combine multiple objectives when possible</li> <li>Confidence calibration thresholds (what 90% confidence looks like vs 30%)</li> </ul> <p><strong>5. Data Quality Rules (100 lines)</strong></p> <p>How to score confidence and data quality, and how that affects recommendations:</p> <ul> <li>Data Quality &lt;50 → Cannot recommend BUILD_NOW</li> <li>Data Quality &lt;30 → Maximum BUILD_WITH_CAUTION</li> <li>Low confidence → Reduce scores by 1-2 points</li> </ul> <h3> Example Scoring Rubric </h3> <p>This is embedded in the prompt:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>SaaS Benchmarks: - LTV:CAC Ratio: &gt;5:1 = Excellent, 3:1-5:1 = Good, &lt;3:1 = Poor - Monthly Churn: &lt;3% = Great, 3-5% = Good, &gt;7% = Poor - Market Size: $100M+ TAM required - Pricing: $50-500+/user/mo Confidence Adjustment: - If data quality &lt;50, cannot recommend BUILD_NOW - If confidence &lt;60%, reduce score by 1-2 points - Brutal mode: BUILD_NOW only for top 5% of ideas </code></pre> </div> <p>The prompt engineering here is honestly more important than the code. Get this right and the system works. Get it wrong and you get generic, useless feedback.</p> <h2> Real-Time Updates with SSE </h2> <p>Nobody wants to stare at a loading spinner for 5 minutes wondering if it crashed.</p> <h3> Server Side </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/jobs/:jobId/stream</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">c</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">streamSSE</span><span class="p">(</span><span class="nx">c</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">stream</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// Send initial state immediately</span> <span class="kd">const</span> <span class="nx">initialState</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">validationService</span><span class="p">.</span><span class="nf">getJobStatus</span><span class="p">(</span><span class="nx">jobId</span><span class="p">)</span> <span class="k">await</span> <span class="nx">stream</span><span class="p">.</span><span class="nf">send</span><span class="p">({</span> <span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">update</span><span class="dl">'</span><span class="p">,</span> <span class="na">data</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">initialState</span><span class="p">)</span> <span class="p">})</span> <span class="c1">// Poll and push updates every 500ms</span> <span class="kd">const</span> <span class="nx">pollInterval</span> <span class="o">=</span> <span class="nf">setInterval</span><span class="p">(</span><span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">state</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">validationService</span><span class="p">.</span><span class="nf">getJobStatus</span><span class="p">(</span><span class="nx">jobId</span><span class="p">)</span> <span class="k">await</span> <span class="nx">stream</span><span class="p">.</span><span class="nf">send</span><span class="p">({</span> <span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">update</span><span class="dl">'</span><span class="p">,</span> <span class="na">data</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">state</span><span class="p">)</span> <span class="p">})</span> <span class="k">if </span><span class="p">(</span><span class="nx">state</span><span class="p">.</span><span class="nx">status</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">completed</span><span class="dl">'</span> <span class="o">||</span> <span class="nx">state</span><span class="p">.</span><span class="nx">status</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">failed</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="nf">clearInterval</span><span class="p">(</span><span class="nx">pollInterval</span><span class="p">)</span> <span class="nx">stream</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="p">}</span> <span class="p">},</span> <span class="mi">500</span><span class="p">)</span> <span class="p">})</span> <span class="p">})</span> </code></pre> </div> <h3> Client Side </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">function</span> <span class="nf">useValidationStream</span><span class="p">(</span><span class="nx">jobId</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">status</span><span class="p">,</span> <span class="nx">setStatus</span><span class="p">]</span> <span class="o">=</span> <span class="nx">useState</span><span class="o">&lt;</span><span class="nx">JobStatus</span><span class="o">&gt;</span><span class="p">()</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">tasks</span><span class="p">,</span> <span class="nx">setTasks</span><span class="p">]</span> <span class="o">=</span> <span class="nx">useState</span><span class="o">&lt;</span><span class="nx">TaskResult</span><span class="p">[]</span><span class="o">&gt;</span><span class="p">([])</span> <span class="nf">useEffect</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">eventSource</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">EventSource</span><span class="p">(</span><span class="s2">`/api/validate/jobs/</span><span class="p">${</span><span class="nx">jobId</span><span class="p">}</span><span class="s2">/stream`</span><span class="p">)</span> <span class="nx">eventSource</span><span class="p">.</span><span class="nx">onmessage</span> <span class="o">=</span> <span class="p">(</span><span class="nx">event</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">update</span> <span class="o">=</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nx">event</span><span class="p">.</span><span class="nx">data</span><span class="p">)</span> <span class="nf">setStatus</span><span class="p">(</span><span class="nx">update</span><span class="p">.</span><span class="nx">status</span><span class="p">)</span> <span class="nf">setTasks</span><span class="p">(</span><span class="nx">update</span><span class="p">.</span><span class="nx">tasks</span> <span class="o">||</span> <span class="p">[])</span> <span class="p">}</span> <span class="k">return </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="nx">eventSource</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="p">},</span> <span class="p">[</span><span class="nx">jobId</span><span class="p">])</span> <span class="k">return</span> <span class="p">{</span> <span class="nx">status</span><span class="p">,</span> <span class="nx">tasks</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Now users see:</p> <ul> <li>"Planning validation tasks..."</li> <li>"Researching competitors..." (1/8)</li> <li>"Analyzing market size..." (2/8)</li> <li>etc.</li> </ul> <p>Way better than a spinner. Took about 2 hours to implement.</p> <h2> Error Handling: ai-retry </h2> <p>APIs fail. Rate limits hit. Networks are unreliable. Instead of manual retry logic, I use <code>ai-retry</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">createRetryable</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">ai-retry</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">retryAfterDelay</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">ai-retry/retryables</span><span class="dl">'</span> <span class="kd">const</span> <span class="nx">cheapModel</span> <span class="o">=</span> <span class="nf">createRetryable</span><span class="p">({</span> <span class="na">model</span><span class="p">:</span> <span class="nf">openai</span><span class="p">(</span><span class="dl">'</span><span class="s1">gpt-5-mini</span><span class="dl">'</span><span class="p">),</span> <span class="na">retries</span><span class="p">:</span> <span class="p">[</span> <span class="nf">retryAfterDelay</span><span class="p">({</span> <span class="na">delay</span><span class="p">:</span> <span class="mi">1</span><span class="nx">_000</span><span class="p">,</span> <span class="c1">// Start with 1 second</span> <span class="na">backoffFactor</span><span class="p">:</span> <span class="mi">2</span><span class="p">,</span> <span class="c1">// Double each time: 1s, 2s, 4s</span> <span class="na">maxAttempts</span><span class="p">:</span> <span class="mi">3</span> <span class="p">})</span> <span class="p">]</span> <span class="p">})</span> <span class="kd">const</span> <span class="nx">expensiveModel</span> <span class="o">=</span> <span class="nf">createRetryable</span><span class="p">({</span> <span class="na">model</span><span class="p">:</span> <span class="nf">openai</span><span class="p">(</span><span class="dl">'</span><span class="s1">gpt-5.2</span><span class="dl">'</span><span class="p">),</span> <span class="na">retries</span><span class="p">:</span> <span class="p">[</span> <span class="nf">retryAfterDelay</span><span class="p">({</span> <span class="na">delay</span><span class="p">:</span> <span class="mi">1</span><span class="nx">_000</span><span class="p">,</span> <span class="na">backoffFactor</span><span class="p">:</span> <span class="mi">2</span><span class="p">,</span> <span class="na">maxAttempts</span><span class="p">:</span> <span class="mi">3</span> <span class="p">})</span> <span class="p">]</span> <span class="p">})</span> </code></pre> </div> <p>Simple, effective. Handles 429 rate limits automatically with exponential backoff.</p> <h2> Cost Optimization: Two-Model Strategy </h2> <p>Here's the math that matters (based on <a href="https://openai.com/api/pricing/" rel="noopener noreferrer">OpenAI API pricing</a> and <a href="https://docs.tavily.com/documentation/api-credits" rel="noopener noreferrer">Tavily pricing</a>):</p> <p><strong>Current API Pricing:</strong></p> <ul> <li>GPT-5.2: $1.75/1M input tokens, $14/1M output tokens</li> <li>GPT-5 mini: $0.25/1M input tokens, $2/1M output tokens</li> <li>Tavily: $0.008 per search request</li> </ul> <p><strong>Estimated costs per validation:</strong></p> <ul> <li>8 research tasks (GPT-5 mini): ~$0.01-0.02</li> <li>1 final report (GPT-5.2): ~$0.03-0.05</li> <li>10 Tavily searches: ~$0.08</li> <li><strong>Total: ~$0.12-0.15 per validation</strong></li> </ul> <p>If you used GPT-5.2 for everything, it would be roughly <strong>3-4x more expensive</strong> due to the higher token costs.</p> <p>The quality difference? Basically none. Research tasks don't need GPT-5.2's reasoning - they just need to search and summarize. Save the expensive model for the final synthesis where it matters.</p> <p><em>Note: Actual costs vary based on prompt length and response size. These are estimates based on typical validations.</em></p> <h3> Search Optimization </h3> <p><strong>Before I added constraints:</strong></p> <ul> <li>Average: ~15 searches per validation task</li> <li>Time: 120+ seconds</li> <li>More token usage from processing redundant search results</li> </ul> <p><strong>After limiting to 3 searches per task:</strong></p> <ul> <li>Average: ~8-10 searches total</li> <li>Time: 75 seconds (37% faster)</li> <li>Quality: Maintained (89% vs 91% user satisfaction)</li> <li>Cost: Significantly lower due to fewer searches and less token usage</li> </ul> <p>The trick is the prompt instruction: "Plan before searching - know exactly what you need." This forces the agent to think strategically instead of searching randomly.</p> <h3> Performance Metrics </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Metric</th> <th>Target</th> <th>Actual</th> </tr> </thead> <tbody> <tr> <td>Total Time</td> <td>&lt;10 min</td> <td>5-8 min</td> </tr> <tr> <td>Task Planning</td> <td>&lt;5s</td> <td>2-4s</td> </tr> <tr> <td>Research per Task</td> <td>&lt;30s</td> <td>20-35s</td> </tr> <tr> <td>Final Report</td> <td>&lt;20s</td> <td>15-25s</td> </tr> <tr> <td>SSE Update Latency</td> <td>&lt;1s</td> <td>500ms</td> </tr> </tbody> </table></div> <h2> The Biggest Challenges </h2> <h3> 1. Inconsistent Scoring </h3> <p>Early versions would give wildly different scores to similar ideas. Same concept, different day = 3/10 vs 8/10.</p> <p>The problem was underspecified criteria. The AI had no calibration.</p> <p><strong>The fix:</strong> Put detailed benchmarks in the system prompt. Not "good market size" but "SaaS needs $100M+ TAM, aim for $1M+ ARR year 1." Not "high churn" but "&lt;3% monthly is great, &gt;7% is poor."</p> <p>Also added confidence adjustment: low-quality data automatically reduces scores.</p> <p><strong>Result:</strong> Score standard deviation dropped from ±2.3 to ±0.7 for similar ideas.</p> <h3> 2. Hallucinations </h3> <p>The AI would confidently invent competitors. "CompetitorX has 50K users and raised $10M Series A" - completely fictional.</p> <p><strong>The fix was multi-layered:</strong></p> <ol> <li> <strong>Structured outputs</strong> - Zod schema enforcement means it can't just write free text</li> <li> <strong>Source requirements</strong> - Prompt explicitly requires: "All competitor data must come from Tavily search results"</li> <li> <strong>URL validation</strong> - Competitors must have real website URLs in the schema</li> <li> <strong>Confidence scoring</strong> - Mark uncertain data as low confidence</li> <li> <strong>Tavily-only rule</strong> - No citing "public knowledge" without search verification</li> </ol> <p><strong>Result:</strong> Hallucination rate went from 23% to &lt;2% (verified by spot-checking).</p> <h3> 3. Search Efficiency </h3> <p>Unlimited searches meant:</p> <ul> <li>High costs (Tavily charges per search)</li> <li>Long latency (each search adds time)</li> <li>Redundant searches (asking similar things multiple ways)</li> </ul> <p><strong>The solution:</strong></p> <p>Hard limit of 3 searches per task enforced by <code>stopWhen(stepCountIs(N))</code>. The agent can't cheat - after N tool calls, it MUST stop.</p> <p>Added explicit instructions: "You have EXACTLY 3 searches. Plan what you need before searching."</p> <p>This constrains autonomy but dramatically improves efficiency. The quality barely changed because most searches were redundant anyway.</p> <h2> Using Tavily for Search </h2> <p>Generic search APIs (Google, Bing) return raw HTML you have to parse. Tavily is purpose-built for LLMs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">tavilySearch</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@tavily/ai-sdk</span><span class="dl">'</span> <span class="kd">const</span> <span class="p">{</span> <span class="na">text</span><span class="p">:</span> <span class="nx">result</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">generateText</span><span class="p">({</span> <span class="na">model</span><span class="p">:</span> <span class="nx">cheapModel</span><span class="p">,</span> <span class="na">tools</span><span class="p">:</span> <span class="p">{</span> <span class="na">webSearch</span><span class="p">:</span> <span class="nf">tavilySearch</span><span class="p">({</span> <span class="na">apiKey</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">TAVILY_API_KEY</span> <span class="p">})</span> <span class="p">},</span> <span class="na">prompt</span><span class="p">:</span> <span class="nx">researchPrompt</span> <span class="p">})</span> </code></pre> </div> <p>The agent decides when to search and what queries to use. Tavily returns:</p> <ul> <li>Clean, extracted text (no HTML parsing)</li> <li>AI-optimized excerpts (relevant sections only)</li> <li>Built-in answer summaries</li> <li>Source URLs for verification</li> </ul> <p>It's more expensive per search than Google Custom Search, but you save so much time not dealing with HTML parsing and content extraction that it's absolutely worth it.</p> <h2> Running It Yourself </h2> <p>Setup is under 2 minutes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone https://github.com/kzeitar/idea-sieve.git <span class="nb">cd </span>idea-sieve <span class="nb">cp</span> .env.example .env <span class="c"># Add your OpenAI and Tavily API keys to .env</span> docker-compose up <span class="nt">-d</span> docker-compose <span class="nb">exec </span>server bunx prisma migrate deploy docker-compose <span class="nb">exec </span>server bunx prisma db seed <span class="c"># Open http://localhost:3001</span> </code></pre> </div> <p>For development:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pnpm <span class="nb">install </span>docker-compose up db <span class="nt">-d</span> pnpm <span class="nt">--filter</span> @idea-sieve/db prisma:migrate pnpm dev <span class="c"># Runs web:3001, server:3000</span> </code></pre> </div> <h2> What I'd Build Next </h2> <h3> 1. Redis Caching </h3> <p>Right now, validating the same idea twice does all the research again. Should cache Tavily results:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kr">interface</span> <span class="nx">CacheKey</span> <span class="p">{</span> <span class="nl">ideaDescription</span><span class="p">:</span> <span class="kr">string</span> <span class="c1">// Normalized</span> <span class="nx">ideaType</span><span class="p">:</span> <span class="kr">string</span> <span class="nx">validationTone</span><span class="p">:</span> <span class="kr">string</span> <span class="p">}</span> <span class="c1">// Cache for 7 days (balance freshness vs savings)</span> <span class="kd">const</span> <span class="nx">cached</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">redis</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="nf">hashKey</span><span class="p">(</span><span class="nx">key</span><span class="p">))</span> </code></pre> </div> <p><strong>Expected impact:</strong> 40-60% cost reduction on repeated validations.</p> <h3> 2. Streaming the Final Report </h3> <p>Currently you wait 15-25 seconds for the complete report. Should stream it token-by-token as it generates.</p> <p><strong>Expected impact:</strong> 60-70% perceived latency reduction. The data arrives in the same time, but users see progress immediately.</p> <h3> 3. Parallel Research Execution </h3> <p>Tasks currently run sequentially. Many are independent and could run in parallel:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">independentTasks</span> <span class="o">=</span> <span class="nx">tasks</span><span class="p">.</span><span class="nf">filter</span><span class="p">(</span><span class="nx">t</span> <span class="o">=&gt;</span> <span class="o">!</span><span class="nx">t</span><span class="p">.</span><span class="nx">dependsOn</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">results</span> <span class="o">=</span> <span class="k">await</span> <span class="nb">Promise</span><span class="p">.</span><span class="nf">all</span><span class="p">(</span> <span class="nx">independentTasks</span><span class="p">.</span><span class="nf">map</span><span class="p">(</span><span class="nx">task</span> <span class="o">=&gt;</span> <span class="nf">executeValidationTask</span><span class="p">(</span><span class="nx">input</span><span class="p">,</span> <span class="nx">task</span><span class="p">,</span> <span class="p">[]))</span> <span class="p">)</span> </code></pre> </div> <p><strong>Expected impact:</strong> 30-40% faster validations.</p> <h2> What I Learned </h2> <p><strong>1. Prompt engineering is most of the work</strong></p> <p>The 730-line system prompt is more important than all the TypeScript code combined. You can have perfect architecture but if your prompts are vague, the output will be useless.</p> <p>Spend time here. Iterate. Test. Refine. It's 70%+ of your quality.</p> <p><strong>2. Structured outputs are non-negotiable</strong></p> <p>Never parse LLM text output. Use schemas. The AI SDK's <code>Output.object()</code> with Zod schemas means you get typed, validated objects every time.</p> <p>Before: "Let me regex parse this text and hope the format doesn't change"<br> After: Guaranteed structure, TypeScript types, runtime validation</p> <p><strong>3. The two-model strategy actually works</strong></p> <p>I was skeptical about mixing models, but the data is clear: research tasks don't need GPT-5.2. Use GPT-5 mini for research and GPT-5.2 only for final synthesis.</p> <p>This approach is 3-4x cheaper than using GPT-5.2 for everything, with zero quality loss.</p> <p><strong>4. Constraints improve quality</strong></p> <p>Unlimited searches = bad results. Forcing the agent to plan and use limited searches made it more strategic and actually improved output quality.</p> <p>Sometimes less autonomy is better.</p> <p><strong>5. Real-time UX matters more than I thought</strong></p> <p>SSE streaming took 2 hours to implement and made the experience 10x better. Seeing progress removes anxiety about whether it crashed or is still working.</p> <p>Small effort, huge UX impact.</p> <h2> The Honest Take </h2> <p>This tool won't guarantee your idea succeeds. It won't replace talking to real users. But it will:</p> <ul> <li>Find competitors you didn't know about</li> <li>Surface red flags early</li> <li>Give you specific next steps to validate assumptions</li> <li>Force you to look at evidence instead of just vibes</li> </ul> <p>I've used it on 6 ideas in the last month. Two got brutal scores with clear reasons why (saved me months). Three got mid-range scores with specific pivots. One got 8/10 and I'm building it now.</p> <p>That's the value: not predicting success, but helping you avoid obvious failures faster.</p> <p><strong>Try it:</strong> <a href="https://github.com/kzeitar/idea-sieve" rel="noopener noreferrer">github.com/kzeitar/idea-sieve</a></p> <p><strong>Contribute:</strong> PRs welcome for better prompts, additional frameworks, or UX improvements.</p> showandtell ai pgaichallenge Advanced Rate Limiting Patterns: Multi-Tier, Compound Limiters, and Distributed Systems Khaled Zeitar Mon, 29 Dec 2025 01:22:06 +0000 https://forem.com/kzeitar/advanced-rate-limiting-patterns-multi-tier-compound-limiters-and-distributed-systems-4mm6 https://forem.com/kzeitar/advanced-rate-limiting-patterns-multi-tier-compound-limiters-and-distributed-systems-4mm6 <p>You've got basic rate limiting working. Your API is protected. Life is good.</p> <p>Then your product manager walks over: "We need different rate limits for free and paid users." Or your infrastructure team says "We're adding a second server, will your rate limiting still work?" Or you realize that your image processing endpoint needs way stricter limits than your read-only endpoints.</p> <p>This is where things get interesting. Let's talk about advanced patterns that I've actually used in production.</p> <h2> Different limits for different users </h2> <p>The SaaS problem: free users get 100 requests per hour, paid users get 1000, enterprise gets basically unlimited. How do you handle this?</p> <p>The naive approach is to check the user's tier and then use an if statement to pick different limits. That works until you have 5 tiers and 10 endpoints and now you have 50 different limit configurations scattered through your code.</p> <p>Here's a cleaner way:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">RateLimiterFactory</span><span class="p">,</span> <span class="nx">InMemoryStorage</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@zeitar/throttle</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">storage</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">InMemoryStorage</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">tiers</span> <span class="o">=</span> <span class="p">{</span> <span class="na">free</span><span class="p">:</span> <span class="k">new</span> <span class="nc">RateLimiterFactory</span><span class="p">({</span> <span class="na">policy</span><span class="p">:</span> <span class="dl">'</span><span class="s1">token_bucket</span><span class="dl">'</span><span class="p">,</span> <span class="na">id</span><span class="p">:</span> <span class="dl">'</span><span class="s1">free-tier</span><span class="dl">'</span><span class="p">,</span> <span class="na">limit</span><span class="p">:</span> <span class="mi">100</span><span class="p">,</span> <span class="na">rate</span><span class="p">:</span> <span class="p">{</span> <span class="na">interval</span><span class="p">:</span> <span class="dl">'</span><span class="s1">1 hour</span><span class="dl">'</span><span class="p">,</span> <span class="na">amount</span><span class="p">:</span> <span class="mi">100</span> <span class="p">}</span> <span class="p">},</span> <span class="nx">storage</span><span class="p">),</span> <span class="na">pro</span><span class="p">:</span> <span class="k">new</span> <span class="nc">RateLimiterFactory</span><span class="p">({</span> <span class="na">policy</span><span class="p">:</span> <span class="dl">'</span><span class="s1">token_bucket</span><span class="dl">'</span><span class="p">,</span> <span class="na">id</span><span class="p">:</span> <span class="dl">'</span><span class="s1">pro-tier</span><span class="dl">'</span><span class="p">,</span> <span class="na">limit</span><span class="p">:</span> <span class="mi">1000</span><span class="p">,</span> <span class="na">rate</span><span class="p">:</span> <span class="p">{</span> <span class="na">interval</span><span class="p">:</span> <span class="dl">'</span><span class="s1">1 hour</span><span class="dl">'</span><span class="p">,</span> <span class="na">amount</span><span class="p">:</span> <span class="mi">1000</span> <span class="p">}</span> <span class="p">},</span> <span class="nx">storage</span><span class="p">),</span> <span class="na">enterprise</span><span class="p">:</span> <span class="k">new</span> <span class="nc">RateLimiterFactory</span><span class="p">({</span> <span class="na">policy</span><span class="p">:</span> <span class="dl">'</span><span class="s1">token_bucket</span><span class="dl">'</span><span class="p">,</span> <span class="na">id</span><span class="p">:</span> <span class="dl">'</span><span class="s1">enterprise-tier</span><span class="dl">'</span><span class="p">,</span> <span class="na">limit</span><span class="p">:</span> <span class="mi">10000</span><span class="p">,</span> <span class="na">rate</span><span class="p">:</span> <span class="p">{</span> <span class="na">interval</span><span class="p">:</span> <span class="dl">'</span><span class="s1">1 hour</span><span class="dl">'</span><span class="p">,</span> <span class="na">amount</span><span class="p">:</span> <span class="mi">10000</span> <span class="p">}</span> <span class="p">},</span> <span class="nx">storage</span><span class="p">)</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">multiTierRateLimit</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">userTier</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">user</span><span class="p">?.</span><span class="nx">tier</span> <span class="o">||</span> <span class="dl">'</span><span class="s1">free</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">factory</span> <span class="o">=</span> <span class="nx">tiers</span><span class="p">[</span><span class="nx">userTier</span><span class="p">];</span> <span class="kd">const</span> <span class="nx">limiter</span> <span class="o">=</span> <span class="nx">factory</span><span class="p">.</span><span class="nf">create</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">limiter</span><span class="p">.</span><span class="nf">consume</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">setHeader</span><span class="p">(</span><span class="dl">'</span><span class="s1">X-RateLimit-Tier</span><span class="dl">'</span><span class="p">,</span> <span class="nx">userTier</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">setHeader</span><span class="p">(</span><span class="dl">'</span><span class="s1">X-RateLimit-Remaining</span><span class="dl">'</span><span class="p">,</span> <span class="nx">result</span><span class="p">.</span><span class="nf">getRemainingTokens</span><span class="p">().</span><span class="nf">toString</span><span class="p">());</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">result</span><span class="p">.</span><span class="nf">isAccepted</span><span class="p">())</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">429</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Rate limit exceeded</span><span class="dl">'</span><span class="p">,</span> <span class="na">tier</span><span class="p">:</span> <span class="nx">userTier</span><span class="p">,</span> <span class="na">retryAfter</span><span class="p">:</span> <span class="nx">result</span><span class="p">.</span><span class="nf">getRetryAfter</span><span class="p">()</span> <span class="p">});</span> <span class="p">}</span> <span class="nf">next</span><span class="p">();</span> <span class="p">};</span> </code></pre> </div> <p>Here's a clever conversion tactic: when free users hit their limit, tell them they can upgrade. This is a natural conversion point:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">result</span><span class="p">.</span><span class="nf">isAccepted</span><span class="p">()</span> <span class="o">&amp;&amp;</span> <span class="nx">userTier</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">free</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">429</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Rate limit exceeded</span><span class="dl">'</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Upgrade to Pro for 10x higher limits</span><span class="dl">'</span><span class="p">,</span> <span class="na">upgradeUrl</span><span class="p">:</span> <span class="dl">'</span><span class="s1">https://yourapp.com/pricing</span><span class="dl">'</span><span class="p">,</span> <span class="na">retryAfter</span><span class="p">:</span> <span class="nx">result</span><span class="p">.</span><span class="nf">getRetryAfter</span><span class="p">()</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <p>This can convert at 2–3%, which is better than most upsell prompts.</p> <h2> Enforcing multiple limits at once </h2> <p>A common production scenario: you need to prevent both burst attacks (someone hammering the API with 100 requests per second) AND sustained abuse (someone making 50,000 requests per day). A single rate limiter can't do both effectively.</p> <p>The solution is compound limiters — checking multiple limits for every request:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">CompoundRateLimiterFactory</span><span class="p">,</span> <span class="nx">RateLimiterFactory</span><span class="p">,</span> <span class="nx">InMemoryStorage</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@zeitar/throttle</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">storage</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">InMemoryStorage</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">perSecondFactory</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">RateLimiterFactory</span><span class="p">({</span> <span class="na">policy</span><span class="p">:</span> <span class="dl">'</span><span class="s1">token_bucket</span><span class="dl">'</span><span class="p">,</span> <span class="na">id</span><span class="p">:</span> <span class="dl">'</span><span class="s1">per-second</span><span class="dl">'</span><span class="p">,</span> <span class="na">limit</span><span class="p">:</span> <span class="mi">10</span><span class="p">,</span> <span class="na">rate</span><span class="p">:</span> <span class="p">{</span> <span class="na">interval</span><span class="p">:</span> <span class="dl">'</span><span class="s1">1 second</span><span class="dl">'</span><span class="p">,</span> <span class="na">amount</span><span class="p">:</span> <span class="mi">10</span> <span class="p">}</span> <span class="p">},</span> <span class="nx">storage</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">perHourFactory</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">RateLimiterFactory</span><span class="p">({</span> <span class="na">policy</span><span class="p">:</span> <span class="dl">'</span><span class="s1">token_bucket</span><span class="dl">'</span><span class="p">,</span> <span class="na">id</span><span class="p">:</span> <span class="dl">'</span><span class="s1">per-hour</span><span class="dl">'</span><span class="p">,</span> <span class="na">limit</span><span class="p">:</span> <span class="mi">1000</span><span class="p">,</span> <span class="na">rate</span><span class="p">:</span> <span class="p">{</span> <span class="na">interval</span><span class="p">:</span> <span class="dl">'</span><span class="s1">1 hour</span><span class="dl">'</span><span class="p">,</span> <span class="na">amount</span><span class="p">:</span> <span class="mi">1000</span> <span class="p">}</span> <span class="p">},</span> <span class="nx">storage</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">compound</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">CompoundRateLimiterFactory</span><span class="p">([</span> <span class="nx">perSecondFactory</span><span class="p">,</span> <span class="nx">perHourFactory</span> <span class="p">]);</span> <span class="kd">const</span> <span class="nx">limiter</span> <span class="o">=</span> <span class="nx">compound</span><span class="p">.</span><span class="nf">create</span><span class="p">(</span><span class="dl">'</span><span class="s1">user-123</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">limiter</span><span class="p">.</span><span class="nf">consume</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span> </code></pre> </div> <p>The request only goes through if ALL limiters accept it. If any limiter rejects, the whole request is rejected.</p> <p>This is powerful because you can layer protection. Here's a production-ready configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">apiLimiter</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">CompoundRateLimiterFactory</span><span class="p">([</span> <span class="c1">// Prevent flooding</span> <span class="k">new</span> <span class="nc">RateLimiterFactory</span><span class="p">({</span> <span class="na">policy</span><span class="p">:</span> <span class="dl">'</span><span class="s1">token_bucket</span><span class="dl">'</span><span class="p">,</span> <span class="na">id</span><span class="p">:</span> <span class="dl">'</span><span class="s1">burst</span><span class="dl">'</span><span class="p">,</span> <span class="na">limit</span><span class="p">:</span> <span class="mi">20</span><span class="p">,</span> <span class="na">rate</span><span class="p">:</span> <span class="p">{</span> <span class="na">interval</span><span class="p">:</span> <span class="dl">'</span><span class="s1">1 second</span><span class="dl">'</span><span class="p">,</span> <span class="na">amount</span><span class="p">:</span> <span class="mi">20</span> <span class="p">}</span> <span class="p">},</span> <span class="nx">storage</span><span class="p">),</span> <span class="c1">// Prevent sustained abuse</span> <span class="k">new</span> <span class="nc">RateLimiterFactory</span><span class="p">({</span> <span class="na">policy</span><span class="p">:</span> <span class="dl">'</span><span class="s1">token_bucket</span><span class="dl">'</span><span class="p">,</span> <span class="na">id</span><span class="p">:</span> <span class="dl">'</span><span class="s1">sustained</span><span class="dl">'</span><span class="p">,</span> <span class="na">limit</span><span class="p">:</span> <span class="mi">1000</span><span class="p">,</span> <span class="na">rate</span><span class="p">:</span> <span class="p">{</span> <span class="na">interval</span><span class="p">:</span> <span class="dl">'</span><span class="s1">1 minute</span><span class="dl">'</span><span class="p">,</span> <span class="na">amount</span><span class="p">:</span> <span class="mi">100</span> <span class="p">}</span> <span class="p">},</span> <span class="nx">storage</span><span class="p">),</span> <span class="c1">// Daily quota</span> <span class="k">new</span> <span class="nc">RateLimiterFactory</span><span class="p">({</span> <span class="na">policy</span><span class="p">:</span> <span class="dl">'</span><span class="s1">fixed_window</span><span class="dl">'</span><span class="p">,</span> <span class="na">id</span><span class="p">:</span> <span class="dl">'</span><span class="s1">daily</span><span class="dl">'</span><span class="p">,</span> <span class="na">limit</span><span class="p">:</span> <span class="mi">10000</span><span class="p">,</span> <span class="na">interval</span><span class="p">:</span> <span class="dl">'</span><span class="s1">1 day</span><span class="dl">'</span> <span class="p">},</span> <span class="nx">storage</span><span class="p">)</span> <span class="p">]);</span> </code></pre> </div> <p>Three layers of protection:</p> <ul> <li>Can't exceed 20 requests per second</li> <li>Can't sustain more than 100 requests per minute (1000 tokens that refill at 100/minute)</li> <li>Daily cap of 10,000 total</li> </ul> <p>Someone trying to abuse your API has to get through all three.</p> <h2> Global limits plus per-user limits </h2> <p>Sometimes you need to protect the entire system AND individual users. Example: your API calls an expensive third-party service that has its own rate limits. You need a global limit to stay under their cap, plus per-user limits for fairness.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">globalFactory</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">RateLimiterFactory</span><span class="p">({</span> <span class="na">policy</span><span class="p">:</span> <span class="dl">'</span><span class="s1">token_bucket</span><span class="dl">'</span><span class="p">,</span> <span class="na">id</span><span class="p">:</span> <span class="dl">'</span><span class="s1">global</span><span class="dl">'</span><span class="p">,</span> <span class="na">limit</span><span class="p">:</span> <span class="mi">10000</span><span class="p">,</span> <span class="na">rate</span><span class="p">:</span> <span class="p">{</span> <span class="na">interval</span><span class="p">:</span> <span class="dl">'</span><span class="s1">1 second</span><span class="dl">'</span><span class="p">,</span> <span class="na">amount</span><span class="p">:</span> <span class="mi">10000</span> <span class="p">}</span> <span class="p">},</span> <span class="nx">storage</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">perUserFactory</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">RateLimiterFactory</span><span class="p">({</span> <span class="na">policy</span><span class="p">:</span> <span class="dl">'</span><span class="s1">token_bucket</span><span class="dl">'</span><span class="p">,</span> <span class="na">id</span><span class="p">:</span> <span class="dl">'</span><span class="s1">per-user</span><span class="dl">'</span><span class="p">,</span> <span class="na">limit</span><span class="p">:</span> <span class="mi">100</span><span class="p">,</span> <span class="na">rate</span><span class="p">:</span> <span class="p">{</span> <span class="na">interval</span><span class="p">:</span> <span class="dl">'</span><span class="s1">1 minute</span><span class="dl">'</span><span class="p">,</span> <span class="na">amount</span><span class="p">:</span> <span class="mi">100</span> <span class="p">}</span> <span class="p">},</span> <span class="nx">storage</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">rateLimitMiddleware</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">userId</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">user</span><span class="p">?.</span><span class="nx">id</span> <span class="o">||</span> <span class="nx">req</span><span class="p">.</span><span class="nx">ip</span><span class="p">;</span> <span class="c1">// Check global limit first (same identifier for everyone)</span> <span class="kd">const</span> <span class="nx">globalLimiter</span> <span class="o">=</span> <span class="nx">globalFactory</span><span class="p">.</span><span class="nf">create</span><span class="p">(</span><span class="dl">'</span><span class="s1">api</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">globalResult</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">globalLimiter</span><span class="p">.</span><span class="nf">consume</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">globalResult</span><span class="p">.</span><span class="nf">isAccepted</span><span class="p">())</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">503</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Service temporarily unavailable</span><span class="dl">'</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">API is experiencing high traffic</span><span class="dl">'</span><span class="p">,</span> <span class="na">retryAfter</span><span class="p">:</span> <span class="nx">globalResult</span><span class="p">.</span><span class="nf">getRetryAfter</span><span class="p">()</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// Then check per-user limit</span> <span class="kd">const</span> <span class="nx">userLimiter</span> <span class="o">=</span> <span class="nx">perUserFactory</span><span class="p">.</span><span class="nf">create</span><span class="p">(</span><span class="nx">userId</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">userResult</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">userLimiter</span><span class="p">.</span><span class="nf">consume</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">userResult</span><span class="p">.</span><span class="nf">isAccepted</span><span class="p">())</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">429</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Rate limit exceeded</span><span class="dl">'</span><span class="p">,</span> <span class="na">retryAfter</span><span class="p">:</span> <span class="nx">userResult</span><span class="p">.</span><span class="nf">getRetryAfter</span><span class="p">()</span> <span class="p">});</span> <span class="p">}</span> <span class="nf">next</span><span class="p">();</span> <span class="p">};</span> </code></pre> </div> <p>Note the different status codes: 503 for global (system issue), 429 for per-user (your issue). This helps clients understand what's happening.</p> <h2> Different costs for different endpoints </h2> <p>Not all endpoints are created equal. Reading a user profile is cheap. Generating a PDF report with 10,000 rows is expensive. You can reflect this in your rate limiting:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">factory</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">RateLimiterFactory</span><span class="p">({</span> <span class="na">policy</span><span class="p">:</span> <span class="dl">'</span><span class="s1">token_bucket</span><span class="dl">'</span><span class="p">,</span> <span class="na">id</span><span class="p">:</span> <span class="dl">'</span><span class="s1">api</span><span class="dl">'</span><span class="p">,</span> <span class="na">limit</span><span class="p">:</span> <span class="mi">1000</span><span class="p">,</span> <span class="na">rate</span><span class="p">:</span> <span class="p">{</span> <span class="na">interval</span><span class="p">:</span> <span class="dl">'</span><span class="s1">1 hour</span><span class="dl">'</span><span class="p">,</span> <span class="na">amount</span><span class="p">:</span> <span class="mi">1000</span> <span class="p">}</span> <span class="p">},</span> <span class="nx">storage</span><span class="p">);</span> <span class="c1">// Simple read: 1 token</span> <span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/user/:id</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">limiter</span> <span class="o">=</span> <span class="nx">factory</span><span class="p">.</span><span class="nf">create</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">limiter</span><span class="p">.</span><span class="nf">consume</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span> <span class="c1">// handle result...</span> <span class="p">});</span> <span class="c1">// Complex search: 10 tokens</span> <span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/search</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">limiter</span> <span class="o">=</span> <span class="nx">factory</span><span class="p">.</span><span class="nf">create</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">limiter</span><span class="p">.</span><span class="nf">consume</span><span class="p">(</span><span class="mi">10</span><span class="p">);</span> <span class="c1">// handle result...</span> <span class="p">});</span> <span class="c1">// Heavy report: 100 tokens</span> <span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/reports</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">limiter</span> <span class="o">=</span> <span class="nx">factory</span><span class="p">.</span><span class="nf">create</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">limiter</span><span class="p">.</span><span class="nf">consume</span><span class="p">(</span><span class="mi">100</span><span class="p">);</span> <span class="c1">// handle result...</span> <span class="p">});</span> </code></pre> </div> <p>Now users have 1000 tokens to spend however they want. They can make 1000 simple requests, or 10 reports, or any combination. This is way more flexible than separate limits per endpoint.</p> <h2> The reservation pattern </h2> <p>Here's a powerful pattern that's often overlooked: reservations. Say you have long-running operations like video processing, large file uploads, or batch jobs. You want to rate limit how many jobs a user can start, but you don't want to reject them immediately if they're at their limit — you want to queue them and wait for capacity.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">limiter</span> <span class="o">=</span> <span class="nx">factory</span><span class="p">.</span><span class="nf">create</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">);</span> <span class="c1">// Reserve tokens, wait up to 30 seconds for availability</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">reservation</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">limiter</span><span class="p">.</span><span class="nf">reserve</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="mi">30</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">rateLimit</span> <span class="o">=</span> <span class="nx">reservation</span><span class="p">.</span><span class="nf">getRateLimit</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">rateLimit</span><span class="p">.</span><span class="nf">isAccepted</span><span class="p">())</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">429</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Rate limit exceeded</span><span class="dl">'</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Too many concurrent jobs</span><span class="dl">'</span><span class="p">,</span> <span class="na">retryAfter</span><span class="p">:</span> <span class="nx">rateLimit</span><span class="p">.</span><span class="nf">getRetryAfter</span><span class="p">()</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// Wait for the reservation (blocks until tokens are available or timeout)</span> <span class="k">await</span> <span class="nx">reservation</span><span class="p">.</span><span class="nf">wait</span><span class="p">();</span> <span class="c1">// Now we're guaranteed to have the tokens</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Job started</span><span class="dl">'</span><span class="p">,</span> <span class="na">jobId</span><span class="p">:</span> <span class="dl">'</span><span class="s1">...</span><span class="dl">'</span> <span class="p">});</span> <span class="nf">startJobProcessing</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Handle MaxWaitDurationExceededError</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">429</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Rate limit exceeded</span><span class="dl">'</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Unable to acquire tokens within wait time</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <p>The key difference between <code>consume()</code> and <code>reserve()</code>:</p> <ul> <li> <code>consume()</code>: Either gets tokens immediately or fails—perfect for real-time API requests</li> <li> <code>reserve()</code>: Will wait (up to your timeout) for tokens to become available—ideal for job queues and async operations</li> </ul> <p>This is perfect for smoothing out traffic spikes. Instead of rejecting users during peak times, you queue them up and process requests as capacity becomes available. Your users get a better experience (queued instead of rejected), and you get better resource utilization.</p> <h2> Scaling to multiple servers </h2> <p>Once you have multiple application servers, in-memory storage stops working. Each server has its own memory, so the limits aren't shared. User makes 100 requests to server A, then 100 to server B — they've just bypassed your 100-request limit.</p> <p>You need shared storage. Redis is the usual choice:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">StorageInterface</span><span class="p">,</span> <span class="nx">LimiterStateInterface</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@zeitar/throttle</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">createClient</span><span class="p">,</span> <span class="nx">RedisClientType</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">redis</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">RedisStorage</span> <span class="kr">implements</span> <span class="nx">StorageInterface</span> <span class="p">{</span> <span class="kr">private</span> <span class="nx">client</span><span class="p">:</span> <span class="nx">RedisClientType</span><span class="p">;</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">client</span><span class="p">:</span> <span class="nx">RedisClientType</span><span class="p">)</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">client</span> <span class="o">=</span> <span class="nx">client</span><span class="p">;</span> <span class="p">}</span> <span class="k">async</span> <span class="nf">save</span><span class="p">(</span><span class="nx">state</span><span class="p">:</span> <span class="nx">LimiterStateInterface</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="k">void</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">key</span> <span class="o">=</span> <span class="nx">state</span><span class="p">.</span><span class="nf">getId</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">expirationTime</span> <span class="o">=</span> <span class="nx">state</span><span class="p">.</span><span class="nf">getExpirationTime</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">serialized</span> <span class="o">=</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">state</span><span class="p">.</span><span class="nf">toJSON</span><span class="p">());</span> <span class="k">if </span><span class="p">(</span><span class="nx">expirationTime</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">now</span> <span class="o">=</span> <span class="nb">Math</span><span class="p">.</span><span class="nf">floor</span><span class="p">(</span><span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="o">/</span> <span class="mi">1000</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">ttl</span> <span class="o">=</span> <span class="nb">Math</span><span class="p">.</span><span class="nf">max</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="nx">expirationTime</span> <span class="o">-</span> <span class="nx">now</span><span class="p">);</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">client</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="nx">key</span><span class="p">,</span> <span class="nx">serialized</span><span class="p">,</span> <span class="p">{</span> <span class="na">EX</span><span class="p">:</span> <span class="nx">ttl</span> <span class="p">});</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">client</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="nx">key</span><span class="p">,</span> <span class="nx">serialized</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="k">async</span> <span class="nf">fetch</span><span class="p">(</span><span class="nx">id</span><span class="p">:</span> <span class="nx">string</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">LimiterStateInterface</span> <span class="o">|</span> <span class="kc">null</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">data</span> <span class="o">=</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">client</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="nx">id</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">data</span><span class="p">)</span> <span class="k">return</span> <span class="kc">null</span><span class="p">;</span> <span class="c1">// Note: The actual implementation would need to deserialize back to</span> <span class="c1">// the appropriate state class (TokenBucket, Window, etc.)</span> <span class="c1">// This requires storing type information alongside the state</span> <span class="kd">const</span> <span class="nx">parsed</span> <span class="o">=</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nx">data</span><span class="p">);</span> <span class="c1">// For a complete implementation, you'd need to reconstruct the proper</span> <span class="c1">// state object based on stored type information</span> <span class="k">return</span> <span class="nx">parsed</span> <span class="k">as</span> <span class="nx">LimiterStateInterface</span><span class="p">;</span> <span class="p">}</span> <span class="k">async</span> <span class="k">delete</span><span class="p">(</span><span class="nx">id</span><span class="p">:</span> <span class="nx">string</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="k">void</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">client</span><span class="p">.</span><span class="nf">del</span><span class="p">(</span><span class="nx">id</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// Usage</span> <span class="kd">const</span> <span class="nx">redisClient</span> <span class="o">=</span> <span class="nf">createClient</span><span class="p">({</span> <span class="na">url</span><span class="p">:</span> <span class="dl">'</span><span class="s1">redis://localhost:6379</span><span class="dl">'</span> <span class="p">});</span> <span class="k">await</span> <span class="nx">redisClient</span><span class="p">.</span><span class="nf">connect</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">factory</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">RateLimiterFactory</span><span class="p">(</span> <span class="p">{</span> <span class="na">policy</span><span class="p">:</span> <span class="dl">'</span><span class="s1">token_bucket</span><span class="dl">'</span><span class="p">,</span> <span class="na">id</span><span class="p">:</span> <span class="dl">'</span><span class="s1">api</span><span class="dl">'</span><span class="p">,</span> <span class="na">limit</span><span class="p">:</span> <span class="mi">1000</span><span class="p">,</span> <span class="na">rate</span><span class="p">:</span> <span class="p">{</span> <span class="na">interval</span><span class="p">:</span> <span class="dl">'</span><span class="s1">1 hour</span><span class="dl">'</span><span class="p">,</span> <span class="na">amount</span><span class="p">:</span> <span class="mi">1000</span> <span class="p">}</span> <span class="p">},</span> <span class="k">new</span> <span class="nc">RedisStorage</span><span class="p">(</span><span class="nx">redisClient</span><span class="p">)</span> <span class="p">);</span> </code></pre> </div> <p>Now all your servers share the same rate limit state. Problem solved.</p> <h2> Adding distributed locking </h2> <p>There's one more thing you need for multi-server deployments: locking. Without it, you can have race conditions where two servers read the same state simultaneously, both think they have tokens available, both decrement, and now you've issued more tokens than you should have.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">LockInterface</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@zeitar/throttle</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">RedisLock</span> <span class="kr">implements</span> <span class="nx">LockInterface</span> <span class="p">{</span> <span class="kr">private</span> <span class="nx">client</span><span class="p">:</span> <span class="nx">RedisClientType</span><span class="p">;</span> <span class="kr">private</span> <span class="nx">lockTimeout</span><span class="p">:</span> <span class="nx">number</span><span class="p">;</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">client</span><span class="p">:</span> <span class="nx">RedisClientType</span><span class="p">,</span> <span class="nx">lockTimeout</span> <span class="o">=</span> <span class="mi">5000</span><span class="p">)</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">client</span> <span class="o">=</span> <span class="nx">client</span><span class="p">;</span> <span class="k">this</span><span class="p">.</span><span class="nx">lockTimeout</span> <span class="o">=</span> <span class="nx">lockTimeout</span><span class="p">;</span> <span class="p">}</span> <span class="k">async</span> <span class="nf">acquire</span><span class="p">(</span><span class="nx">key</span><span class="p">:</span> <span class="nx">string</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">boolean</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">lockKey</span> <span class="o">=</span> <span class="s2">`lock:</span><span class="p">${</span><span class="nx">key</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">acquired</span> <span class="o">=</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">client</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="nx">lockKey</span><span class="p">,</span> <span class="dl">'</span><span class="s1">1</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">NX</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="c1">// Only set if not exists</span> <span class="na">PX</span><span class="p">:</span> <span class="k">this</span><span class="p">.</span><span class="nx">lockTimeout</span> <span class="c1">// Milliseconds</span> <span class="p">});</span> <span class="k">return</span> <span class="nx">acquired</span> <span class="o">!==</span> <span class="kc">null</span><span class="p">;</span> <span class="p">}</span> <span class="k">async</span> <span class="nf">release</span><span class="p">(</span><span class="nx">key</span><span class="p">:</span> <span class="nx">string</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="k">void</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">client</span><span class="p">.</span><span class="nf">del</span><span class="p">(</span><span class="s2">`lock:</span><span class="p">${</span><span class="nx">key</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">factory</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">RateLimiterFactory</span><span class="p">(</span> <span class="nx">config</span><span class="p">,</span> <span class="k">new</span> <span class="nc">RedisStorage</span><span class="p">(</span><span class="nx">redisClient</span><span class="p">),</span> <span class="k">new</span> <span class="nc">RedisLock</span><span class="p">(</span><span class="nx">redisClient</span><span class="p">)</span> <span class="p">);</span> </code></pre> </div> <p>Now your rate limiting works correctly across any number of servers.</p> <h2> Dynamic limits based on user behavior </h2> <p>Here's something I implemented for a client: adjust limits based on how trustworthy a user is.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">createDynamicLimiter</span> <span class="o">=</span> <span class="p">(</span><span class="nx">user</span><span class="p">:</span> <span class="nx">User</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// New accounts get strict limits</span> <span class="c1">// Accounts older than 90 days with no violations get higher limits</span> <span class="kd">const</span> <span class="nx">isTrusted</span> <span class="o">=</span> <span class="nx">user</span><span class="p">.</span><span class="nx">accountAge</span> <span class="o">&gt;</span> <span class="mi">90</span> <span class="o">&amp;&amp;</span> <span class="nx">user</span><span class="p">.</span><span class="nx">violationCount</span> <span class="o">===</span> <span class="mi">0</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">limit</span> <span class="o">=</span> <span class="nx">isTrusted</span> <span class="p">?</span> <span class="mi">5000</span> <span class="p">:</span> <span class="mi">1000</span><span class="p">;</span> <span class="k">return</span> <span class="k">new</span> <span class="nc">RateLimiterFactory</span><span class="p">({</span> <span class="na">policy</span><span class="p">:</span> <span class="dl">'</span><span class="s1">token_bucket</span><span class="dl">'</span><span class="p">,</span> <span class="na">id</span><span class="p">:</span> <span class="dl">'</span><span class="s1">dynamic</span><span class="dl">'</span><span class="p">,</span> <span class="nx">limit</span><span class="p">,</span> <span class="na">rate</span><span class="p">:</span> <span class="p">{</span> <span class="na">interval</span><span class="p">:</span> <span class="dl">'</span><span class="s1">1 hour</span><span class="dl">'</span><span class="p">,</span> <span class="na">amount</span><span class="p">:</span> <span class="nx">limit</span> <span class="p">}</span> <span class="p">},</span> <span class="nx">storage</span><span class="p">).</span><span class="nf">create</span><span class="p">(</span><span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">);</span> <span class="p">};</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">limiter</span> <span class="o">=</span> <span class="nf">createDynamicLimiter</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">user</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">limiter</span><span class="p">.</span><span class="nf">consume</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span> <span class="c1">// check result...</span> <span class="p">});</span> </code></pre> </div> <p>You could also adjust based on:</p> <ul> <li>Payment tier (paid users get higher limits automatically)</li> <li>API key vs OAuth (different trust levels)</li> <li>Historical behavior (penalize users who frequently hit limits)</li> <li>Time of day (be more lenient during off-peak hours)</li> </ul> <h2> Putting it all together </h2> <p>Here's a realistic production setup that combines several patterns:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">RateLimiterFactory</span><span class="p">,</span> <span class="nx">CompoundRateLimiterFactory</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@zeitar/throttle</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">RedisStorage</span><span class="p">,</span> <span class="nx">RedisLock</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./redis-impl</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">createClient</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">redis</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">redisClient</span> <span class="o">=</span> <span class="nf">createClient</span><span class="p">({</span> <span class="na">url</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">REDIS_URL</span> <span class="p">});</span> <span class="k">await</span> <span class="nx">redisClient</span><span class="p">.</span><span class="nf">connect</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">storage</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">RedisStorage</span><span class="p">(</span><span class="nx">redisClient</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">lock</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">RedisLock</span><span class="p">(</span><span class="nx">redisClient</span><span class="p">);</span> <span class="c1">// Define tier configurations</span> <span class="kd">const</span> <span class="nx">createTierLimiter</span> <span class="o">=</span> <span class="p">(</span><span class="nx">tier</span><span class="p">:</span> <span class="dl">'</span><span class="s1">free</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">pro</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">enterprise</span><span class="dl">'</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">configs</span> <span class="o">=</span> <span class="p">{</span> <span class="na">free</span><span class="p">:</span> <span class="p">{</span> <span class="na">burst</span><span class="p">:</span> <span class="mi">10</span><span class="p">,</span> <span class="na">sustained</span><span class="p">:</span> <span class="mi">100</span><span class="p">,</span> <span class="na">daily</span><span class="p">:</span> <span class="mi">1000</span> <span class="p">},</span> <span class="na">pro</span><span class="p">:</span> <span class="p">{</span> <span class="na">burst</span><span class="p">:</span> <span class="mi">50</span><span class="p">,</span> <span class="na">sustained</span><span class="p">:</span> <span class="mi">1000</span><span class="p">,</span> <span class="na">daily</span><span class="p">:</span> <span class="mi">50000</span> <span class="p">},</span> <span class="na">enterprise</span><span class="p">:</span> <span class="p">{</span> <span class="na">burst</span><span class="p">:</span> <span class="mi">200</span><span class="p">,</span> <span class="na">sustained</span><span class="p">:</span> <span class="mi">10000</span><span class="p">,</span> <span class="na">daily</span><span class="p">:</span> <span class="mi">1000000</span> <span class="p">}</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">config</span> <span class="o">=</span> <span class="nx">configs</span><span class="p">[</span><span class="nx">tier</span><span class="p">];</span> <span class="k">return</span> <span class="k">new</span> <span class="nc">CompoundRateLimiterFactory</span><span class="p">([</span> <span class="k">new</span> <span class="nc">RateLimiterFactory</span><span class="p">({</span> <span class="na">policy</span><span class="p">:</span> <span class="dl">'</span><span class="s1">token_bucket</span><span class="dl">'</span><span class="p">,</span> <span class="na">id</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">tier</span><span class="p">}</span><span class="s2">-burst`</span><span class="p">,</span> <span class="na">limit</span><span class="p">:</span> <span class="nx">config</span><span class="p">.</span><span class="nx">burst</span><span class="p">,</span> <span class="na">rate</span><span class="p">:</span> <span class="p">{</span> <span class="na">interval</span><span class="p">:</span> <span class="dl">'</span><span class="s1">1 second</span><span class="dl">'</span><span class="p">,</span> <span class="na">amount</span><span class="p">:</span> <span class="nx">config</span><span class="p">.</span><span class="nx">burst</span> <span class="p">}</span> <span class="p">},</span> <span class="nx">storage</span><span class="p">,</span> <span class="nx">lock</span><span class="p">),</span> <span class="k">new</span> <span class="nc">RateLimiterFactory</span><span class="p">({</span> <span class="na">policy</span><span class="p">:</span> <span class="dl">'</span><span class="s1">token_bucket</span><span class="dl">'</span><span class="p">,</span> <span class="na">id</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">tier</span><span class="p">}</span><span class="s2">-sustained`</span><span class="p">,</span> <span class="na">limit</span><span class="p">:</span> <span class="nx">config</span><span class="p">.</span><span class="nx">sustained</span><span class="p">,</span> <span class="na">rate</span><span class="p">:</span> <span class="p">{</span> <span class="na">interval</span><span class="p">:</span> <span class="dl">'</span><span class="s1">1 minute</span><span class="dl">'</span><span class="p">,</span> <span class="na">amount</span><span class="p">:</span> <span class="nx">config</span><span class="p">.</span><span class="nx">sustained</span> <span class="p">}</span> <span class="p">},</span> <span class="nx">storage</span><span class="p">,</span> <span class="nx">lock</span><span class="p">),</span> <span class="k">new</span> <span class="nc">RateLimiterFactory</span><span class="p">({</span> <span class="na">policy</span><span class="p">:</span> <span class="dl">'</span><span class="s1">fixed_window</span><span class="dl">'</span><span class="p">,</span> <span class="na">id</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">tier</span><span class="p">}</span><span class="s2">-daily`</span><span class="p">,</span> <span class="na">limit</span><span class="p">:</span> <span class="nx">config</span><span class="p">.</span><span class="nx">daily</span><span class="p">,</span> <span class="na">interval</span><span class="p">:</span> <span class="dl">'</span><span class="s1">1 day</span><span class="dl">'</span> <span class="p">},</span> <span class="nx">storage</span><span class="p">,</span> <span class="nx">lock</span><span class="p">)</span> <span class="p">]);</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">tierLimiters</span> <span class="o">=</span> <span class="p">{</span> <span class="na">free</span><span class="p">:</span> <span class="nf">createTierLimiter</span><span class="p">(</span><span class="dl">'</span><span class="s1">free</span><span class="dl">'</span><span class="p">),</span> <span class="na">pro</span><span class="p">:</span> <span class="nf">createTierLimiter</span><span class="p">(</span><span class="dl">'</span><span class="s1">pro</span><span class="dl">'</span><span class="p">),</span> <span class="na">enterprise</span><span class="p">:</span> <span class="nf">createTierLimiter</span><span class="p">(</span><span class="dl">'</span><span class="s1">enterprise</span><span class="dl">'</span><span class="p">)</span> <span class="p">};</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">tier</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">user</span><span class="p">?.</span><span class="nx">tier</span> <span class="o">||</span> <span class="dl">'</span><span class="s1">free</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">compound</span> <span class="o">=</span> <span class="nx">tierLimiters</span><span class="p">[</span><span class="nx">tier</span><span class="p">];</span> <span class="kd">const</span> <span class="nx">limiter</span> <span class="o">=</span> <span class="nx">compound</span><span class="p">.</span><span class="nf">create</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">user</span><span class="p">?.</span><span class="nx">id</span> <span class="o">||</span> <span class="nx">req</span><span class="p">.</span><span class="nx">ip</span><span class="p">);</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">limiter</span><span class="p">.</span><span class="nf">consume</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">setHeader</span><span class="p">(</span><span class="dl">'</span><span class="s1">X-RateLimit-Tier</span><span class="dl">'</span><span class="p">,</span> <span class="nx">tier</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">setHeader</span><span class="p">(</span><span class="dl">'</span><span class="s1">X-RateLimit-Remaining</span><span class="dl">'</span><span class="p">,</span> <span class="nx">result</span><span class="p">.</span><span class="nf">getRemainingTokens</span><span class="p">().</span><span class="nf">toString</span><span class="p">());</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">result</span><span class="p">.</span><span class="nf">isAccepted</span><span class="p">())</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">429</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Rate limit exceeded</span><span class="dl">'</span><span class="p">,</span> <span class="nx">tier</span><span class="p">,</span> <span class="na">retryAfter</span><span class="p">:</span> <span class="nx">result</span><span class="p">.</span><span class="nf">getRetryAfter</span><span class="p">()</span> <span class="p">});</span> <span class="p">}</span> <span class="nf">next</span><span class="p">();</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Rate limiter error:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">error</span><span class="p">);</span> <span class="nf">next</span><span class="p">();</span> <span class="c1">// Fail open</span> <span class="p">}</span> <span class="p">});</span> </code></pre> </div> <p>This gives you:</p> <ul> <li>Three tiers with different limits</li> <li>Burst protection (per-second limit)</li> <li>Sustained protection (per-minute limit)</li> <li>Daily quotas</li> <li>Works across multiple servers (Redis)</li> <li>Thread-safe (distributed locking)</li> <li>Fails gracefully if Redis goes down</li> </ul> <h2> Performance notes </h2> <p>Some real numbers from production:</p> <p><strong>In-memory storage:</strong> Sub-millisecond latency, about 100 bytes per active limiter. With 1 million active users, you're looking at ~100MB of memory. Very fast, but doesn't work with multiple servers.</p> <p><strong>Redis (local):</strong> 1–5ms latency. You're adding a network hop to every request, but it's usually on the same local network so it's fast.</p> <p><strong>Redis (cloud):</strong> 5–20ms latency depending on distance. Still acceptable for most APIs, but something to keep in mind if you're optimizing for the last bit of performance.</p> <p><strong>Locking overhead:</strong> Adds 1–3ms. Worth it for correctness in multi-server deployments.</p> <p>All the algorithms are O(1) — constant time regardless of request rate. They don't slow down as you scale.</p> <h2> When things go wrong </h2> <p><strong>Redis goes down:</strong> Your rate limiter will throw errors. This is why the "fail open" pattern is critical — log the error but let requests through. Better to temporarily lose rate limiting than to block all traffic.</p> <p><strong>Lock timeout:</strong> If a server crashes while holding a lock, the lock will expire after your timeout (default 5 seconds). New requests will wait briefly then proceed. Not perfect, but handles the case.</p> <p><strong>Misconfigured limits:</strong> Setting the daily limit to 100 instead of 10,000 is easier than you think. You'll figure it out quickly if your monitoring shows a spike in 429 responses. This is why you need monitoring.</p> <h2> The path forward </h2> <p>Start simple:</p> <ol> <li>Basic rate limiting with Token Bucket and in-memory storage</li> <li>Add monitoring to see actual usage patterns</li> <li>Adjust limits based on data</li> <li>Add tier-based limits when you have paid plans</li> <li>Move to Redis when you add a second server</li> <li>Add compound limits if you're seeing specific attack patterns</li> </ol> <p>Don't build the complex version on day one. You won't know what limits make sense until you have real traffic.</p> <h2> Open source contribution </h2> <p>Everything here is built on <a href="https://github.com/kzeitar/throttle" rel="noopener noreferrer">https://github.com/kzeitar/throttle</a>. If you want to:</p> <ul> <li>Add a new storage backend (PostgreSQL, DynamoDB, whatever)</li> <li>Implement a new algorithm</li> <li>Improve the existing code</li> <li>Add examples for your favorite framework</li> </ul> <p>The codebase is designed to be extended. It's TypeScript, well-tested, and the architecture is straightforward. Pull requests welcome.</p> <p><strong>Links:</strong></p> <ul> <li>GitHub: <a href="https://github.com/kzeitar/throttle" rel="noopener noreferrer">https://github.com/kzeitar/throttle</a> </li> <li>Docs: <a href="https://github.com/kzeitar/throttle#documentation" rel="noopener noreferrer">https://github.com/kzeitar/throttle#documentation</a> </li> <li>Custom storage guide: <a href="https://github.com/kzeitar/throttle/blob/main/docs/custom-storage.md" rel="noopener noreferrer">https://github.com/kzeitar/throttle/blob/main/docs/custom-storage.md</a> </li> </ul> <p>That's it. You now know more about rate limiting than most backend engineers. Go build something that doesn't fall over when it gets popular.</p> api node ratelimiting typescript