A third-party partner integrates with our API and occasionally hammers it with bursts that degrade service for everyone else. We don't own their client. How would you protect the API?

system-design · Mid level · software-engineering

What the interviewer is really asking

Assesses server-side throttling and graceful-degradation design from the provider's side — per-tenant quotas, fair isolation so one noisy client can't starve others, and the correct 429 contract — distinct from implementing a distributed counter.

What to say

What to avoid

Example answers

Strong: Since I can't change their client, I push the protection entirely server-side and make it per-key. Each partner's API key gets its own token-bucket quota at the gateway, so a burst from one consumes only their own budget — the others are isolated and keep their capacity. When they exceed it I return 429 with Retry-After and the X-RateLimit headers so a sane client throttles itself. Because this partner might ignore that, I add a hard concurrency cap per key and load-shed beyond it, and I put a timeout on those requests so they can't pin my workers. I'd also alert on sustained 429s for that key so we can reach out and fix it at the relationship level.

Weak: I'd add a global rate limit on the API so total traffic can't exceed what the servers handle. Once we hit the cap, extra requests get rejected.

Want questions matched to your role? Paste a job title, job description, or CV and get a personalized set, or go Pro to unlock the full bank.