FastAPI SlowAPI Middleware Setup

Q: Should I throttle by IP or by API key?

Throttle by the most stable identity available. For public unauthenticated endpoints, IP via a sanitized X-Forwarded-For is the only option. For authenticated APIs, key on the API key or JWT sub claim, since IP-based limits are trivially bypassed by rotating addresses.

Q: What happens to requests when Redis is down?

An unhandled storage error surfaces as a 500, not a 429. Decide a fail-open or fail-closed policy explicitly: wrap the limiter check so a Redis outage either allows traffic or rejects it, and alert on the fallback path so the outage is not silent.

Q: Can I change limits per tenant without restarting?

Not through the static decorator string. Resolve the tier in a dependency and apply the limit dynamically, or use a callable that reads the per-tenant rate from a cached config store. The FastAPI Throttling Patterns guide shows the dependency-injection pattern.

The exact task here is wiring SlowAPI into a FastAPI app so limits actually fire — binding the limiter to app.state, ordering SlowAPIMiddleware correctly, choosing a key function, and pointing the counter at Redis. This is the concrete how-to under the FastAPI Throttling Patterns parent topic, which frames the three insertion points; here we commit to one and harden it. SlowAPI is a Starlette-compatible wrapper over the limits library, so it gives you declarative @limiter.limit("100/minute") decorators, RFC-compliant 429 responses, and a pluggable storage backend without writing your own counter. Most failures are wiring mistakes, not algorithm bugs — wrong order, missing app.state, or an in-memory store under multiple workers — so this page is organized around the precise symptom each step prevents.

Concretely: a public API at 100 req/min per IP behind two Uvicorn workers will let through 200 req/min if you leave SlowAPI on its default in-memory store, because each worker counts independently. The fix is one storage_uri change, shown below.

Implementing production-grade rate limiting in FastAPI requires strict adherence to middleware lifecycle boundaries, distributed counter synchronization, and deterministic request routing. The SlowAPI library provides a robust, Starlette-compatible abstraction over the limits library, enabling declarative throughput control without compromising async event loop performance. This guide establishes the architectural baseline for integrating SlowAPI into high-concurrency API surfaces, ensuring consistent enforcement, observability alignment, and graceful degradation under storage or network anomalies.

Core Initialization & Dependency Injection

When initializing the rate limiter, developers must consider how request lifecycle management aligns with broader Backend Middleware & Distributed Tracking architectures to ensure consistent state propagation across microservices and observability pipelines. The Limiter instance must be explicitly bound to app.state before any router inclusion occurs. FastAPI’s decorator resolution mechanism relies on this state attachment to inject the limiter context into route handlers during application startup.

from slowapi import Limiter
from slowapi.util import get_remote_address
from fastapi import FastAPI

# Initialize with a synchronous key extraction function
limiter = Limiter(key_func=get_remote_address)

app = FastAPI(title="Production API")

# CRITICAL: Bind to app.state BEFORE including routers or mounting sub-applications
app.state.limiter = limiter

Failure Mode Analysis & Resolution

Symptom	Root Cause	Direct Resolution
`AttributeError: 'FastAPI' object has no attribute 'state'` during route startup	`app.state.limiter` assignment occurs after `app.include_router()` or is omitted entirely	Move `app.state.limiter = limiter` to the top-level initialization block, prior to any router registration.
Silent middleware bypass or `ImportError` on startup	Version incompatibility between `slowapi`, `starlette`, and `limits`	Check the slowapi compatibility matrix for your Starlette/FastAPI version. `slowapi` requires `limits>=3.0.0`; verify all three packages are mutually compatible before upgrading.

Middleware Attachment & Request Context Routing

Proper middleware registration ensures rate limits are evaluated before business logic executes. Teams must configure SlowAPIMiddleware execution order relative to CORS, authentication, and exception handlers to prevent bypass vectors. Middleware executes in LIFO (Last-In-First-Out) order; rate limiting should typically wrap the outermost request boundary to capture all traffic before routing or authentication overhead.

from slowapi.middleware import SlowAPIMiddleware
from fastapi import FastAPI, Request

app = FastAPI()

# Register middleware AFTER app initialization but BEFORE routers
app.add_middleware(SlowAPIMiddleware)


def extract_client_key(request: Request) -> str:
    """Proxy-aware key extraction with fallback to direct client IP."""
    forwarded = request.headers.get("X-Forwarded-For")
    if forwarded:
        # Extract the originating client IP from comma-separated proxy chain
        return forwarded.split(",")[0].strip()
    # Fallback for direct connections or test environments
    return request.client.host if request.client else "unknown"

Failure Mode Analysis & Resolution

Symptom	Root Cause	Direct Resolution
Rate limits bypassed on authenticated endpoints	`SlowAPIMiddleware` registered after custom routing or auth middleware	Reorder `app.add_middleware()` calls so `SlowAPIMiddleware` is added first (outermost layer).
Attackers rotate IPs via spoofed `X-Forwarded-For` headers	Unsanitized proxy headers accepted from untrusted sources	Validate `X-Forwarded-For` only when `request.scope["client"]` matches trusted reverse proxy CIDRs. Strip or ignore the header otherwise.
`TypeError: 'NoneType' object has no attribute 'host'` in tests	`request.client` is `None` when using `TestClient` without explicit base URL or client mocking	Provide fallback logic: `request.client.host if request.client else "127.0.0.1"` or configure `TestClient(app, base_url="http://testserver")`.

Route-Level Limits & Dynamic Configuration

Route-level decorators provide granular control over endpoint throughput. When designing high-concurrency public APIs, engineers should evaluate architectural trade-offs against alternative FastAPI Throttling Patterns to balance strict enforcement with client experience. Decorator stacking and shared limit scoping require careful configuration to avoid logical OR evaluation or counter fragmentation.

from slowapi import Limiter
from slowapi.util import get_remote_address
from fastapi import Request

limiter = Limiter(key_func=get_remote_address)

@app.get("/api/v1/search")
@limiter.limit("50/minute")
async def search(request: Request, query: str):
 return {"results": []}

# Shared limit pool: aggregates requests across multiple endpoints under a single counter
@limiter.shared_limit("global_pool:1000/minute", key_func=lambda r: "all")
async def shared_resource(request: Request):
 return {"status": "shared_pool_active"}

Failure Mode Analysis & Resolution

Symptom	Root Cause	Direct Resolution
Multiple `@limiter.limit` decorators allow higher throughput than intended	Stacked decorators evaluate as logical OR; the first passing limit short-circuits the rest	Replace stacked decorators with a single consolidated limit string or use `@limiter.shared_limit()` for cross-endpoint aggregation.
`RuntimeWarning` and event loop blocking	`key_func` contains async logic or performs blocking I/O	Ensure `key_func` is strictly synchronous and CPU-bound. For async key resolution, wrap in `asyncio.to_thread()` or precompute headers in middleware.
`ValueError: invalid limit string` on startup	Dynamic limit strings injected without validation	Validate limit syntax against `limits.parse()` during configuration loading. Reject malformed strings before application boot.

Redis Backend Integration & State Persistence

Distributed deployments require a centralized counter store. Redis provides atomic increment operations and TTL management, but connection pooling, TLS enforcement, and key namespace isolation must be explicitly configured to prevent state leakage. The default in-memory store is unsuitable for multi-instance deployments due to counter divergence.

from slowapi import Limiter
from slowapi.util import get_remote_address

# SlowAPI delegates storage to the `limits` library.
# Connection pool options are embedded in the URI query string (redis-py URL format)
# or configured via the LIMITS_STORAGE_OPTIONS environment variable.
limiter = Limiter(
 key_func=get_remote_address,
 storage_uri="redis://:secure_password@redis-primary:6379/2",
 strategy="fixed-window",
 default_limits=["100/hour"],
)

For high-throughput environments, tune the underlying Redis connection pool by configuring the limits library storage class directly:

from limits.storage import RedisStorage
from slowapi import Limiter
from slowapi.util import get_remote_address

storage = RedisStorage(
 "redis://:secure_password@redis-primary:6379/2",
 max_connections=50,
 socket_timeout=2.0,
 socket_connect_timeout=2.0,
)

limiter = Limiter(
 key_func=get_remote_address,
 storage=storage,
 strategy="fixed-window",
 default_limits=["100/hour"],
)

Failure Mode Analysis & Resolution

Symptom	Root Cause	Direct Resolution
`500 Internal Server Error` instead of `429 Too Many Requests`	Redis connection timeout or network partition triggers unhandled exception	Wrap limiter execution in a fallback handler or configure `slowapi` to return `429` on storage failure via custom error routing.
Silent counter resets during transient network blips	Missing retry logic causes atomic increment to fail and drop state	Enable `retry_on_timeout=True` and implement exponential backoff in the underlying Redis client. Monitor `redis` connection pool metrics.
Redis OOM and eviction of critical session data	Unbounded dynamic keys or missing namespace isolation	Prefix all rate limit keys (e.g., `ratelimit:{app_env}:`), set `maxmemory-policy` to `noeviction` for the rate-limit database, and enforce TTL alignment with limit windows.

Failure-Mode Analysis & Production Hardening

Graceful degradation requires explicit exception handling, structured logging, and RFC-compliant Retry-After headers. Implementing circuit-breaker fallbacks ensures backend availability during storage outages. Unhandled rate limit exceptions degrade observability and break client-side backoff algorithms.

from slowapi.errors import RateLimitExceeded
from fastapi import Request
from fastapi.responses import JSONResponse
import logging

logger = logging.getLogger("api.ratelimit")

@app.exception_handler(RateLimitExceeded)
async def handle_rate_limit(request: Request, exc: RateLimitExceeded):
 logger.warning(
 "Rate limit exceeded",
 extra={
 "client_ip": request.client.host if request.client else "unknown",
 "path": request.url.path,
 "retry_after": exc.retry_after
 }
 )
 return JSONResponse(
 status_code=429,
 content={"error": "rate_limit_exceeded", "retry_after": exc.retry_after},
 headers={"Retry-After": str(exc.retry_after)}
 )

Failure Mode Analysis & Resolution

Symptom	Root Cause	Direct Resolution
Throttling events masked as `500` in APM dashboards	`RateLimitExceeded` bubbles to global exception handler without explicit registration	Register `@app.exception_handler(RateLimitExceeded)` at the application root. Verify handler precedence over generic `HTTPException` handlers.
Client exponential backoff algorithms fail	Missing `Retry-After` header in `429` responses	Extract `exc.retry_after` (seconds) and inject into response headers. Ensure string conversion matches RFC 7231 format.
Cascading timeouts across all endpoints under load	Synchronous Redis fallback blocks the async event loop	Replace synchronous storage backends with `aioredis` or `redis.asyncio`. Never execute blocking I/O in async route handlers or middleware. Implement circuit breakers that bypass rate limiting during prolonged storage outages.

Operator checklist

Run this list once before shipping. Each item maps to a failure mode above.

app.state.limiter = limiter is set before any app.include_router() `app.state.limiter = limiter` is set **before** any `app.include_router()` call.
app.add_middleware(SlowAPIMiddleware) `app.add_middleware(SlowAPIMiddleware)` is the first (outermost) middleware added.
app.add_exception_handler(RateLimitExceeded, _rate_limit_exceeded_handler) `app.add_exception_handler(RateLimitExceeded, _rate_limit_exceeded_handler)` is registered, or a custom 429 handler is.
storage_uri `storage_uri` points at Redis (not the default in-memory store) for any deployment with more than one worker or instance.
key_func is strictly synchronous and proxy-aware — only trust X-Forwarded-For `key_func` is strictly synchronous and proxy-aware — only trust `X-Forwarded-For` from known proxy CIDRs.
429 responses carry Retry-After `429` responses carry `Retry-After`; verify with the curl loop below.

Verification & testing

Drive more requests than the limit allows from one IP and confirm the counter holds across workers, not per worker.

# Send 120 requests at a 100/min limit; expect ~20 with HTTP 429.
for i in $(seq 1 120); do
  curl -s -o /dev/null -w "%{http_code}\n" \
    -H "X-Forwarded-For: 203.0.113.7" \
    http://localhost:8000/api/v1/search?query=x
done | sort | uniq -c
# Expect roughly:  100 200   /   20 429

If you see 200 200 (all accepted) with two workers, the store is still in-memory — set storage_uri to Redis and re-run.

Frequently Asked Questions

Why do my limits double when I add a second Uvicorn worker?

SlowAPI's default storage is in-process memory, so every worker keeps its own counter and the effective limit multiplies by the worker count. Set storage_uri="redis://..." so all workers share one authoritative counter.

Does SlowAPI's key_func have to be synchronous?

Yes. SlowAPI resolves the key synchronously during decorator evaluation, so an async key function or one doing blocking I/O will either error or stall the event loop. Precompute anything expensive (e.g. an API-key lookup) in middleware and read it from request.state inside a plain synchronous key_func.

Should I throttle by IP or by API key?

Throttle by the most stable identity you have. For public, unauthenticated endpoints, IP (via a sanitized X-Forwarded-For) is the only option. For authenticated APIs, key on the API key or JWT sub claim — IP-based limits are trivially bypassed by rotating addresses.

What happens to requests when Redis is down?

An unhandled storage error surfaces as a 500, not a 429. Decide a fail-open or fail-closed policy explicitly: wrap the limiter check so a Redis outage either allows traffic (availability first) or rejects it (protection first), and alert on the fallback path so the outage is not silent.

Can I change limits per tenant without restarting?

Not through the static @limiter.limit string. Resolve the tier in a dependency and apply the limit dynamically, or use limiter.limit with a callable that reads the per-tenant rate from a cached config store. The parent FastAPI Throttling Patterns guide shows the dependency-injection pattern.

FastAPI Throttling Patterns — the parent topic covering middleware, decorator, and dependency insertion points.
FastAPI vs Django Rate Limit Middleware — how SlowAPI compares to django-ratelimit and DRF throttling.
Redis Counter Architecture — the authoritative store behind the storage_uri.
Configuring Express Rate Limit With Redis — the Node.js equivalent of this wiring.