BoltUpstashIntermediate8 min read

How to Add Rate Limiting to Your Bolt App with Upstash

Protect your Bolt app's API from abuse with Upstash Redis rate limiting. Serverless, no setup, and free tier available.

Before you start

  • A Bolt app with API routes
  • An Upstash account (free at upstash.com)
  • Your Upstash Redis REST URL and token

Step by step

1

Create an Upstash Redis database

Go to Upstash console, create a new Redis database. Choose the region closest to your users.

# Upstash Console → Create Database
# Name: my-app-rate-limiter
# Region: US-East-1 (or closest to you)
# Copy REST URL and REST Token
2

Install the Upstash packages

Add the Upstash rate limiting library to your Bolt project.

Paste this into Bolt:

Install these npm packages: @upstash/ratelimit and @upstash/redis
3

Create the rate limiter

Build a reusable rate limiting middleware.

Paste this into Bolt:

Create a lib/rate-limit.ts file that:
1. Imports Ratelimit from @upstash/ratelimit and Redis from @upstash/redis
2. Creates a Redis client using UPSTASH_REDIS_REST_URL and UPSTASH_REDIS_REST_TOKEN env vars
3. Creates a rate limiter with sliding window: 10 requests per 10 seconds
4. Exports a rateLimit function that takes an identifier (like IP or user ID) and returns { success, limit, remaining }
4

Apply rate limiting to API routes

Add the rate limiter to your API endpoints.

Paste this into Bolt:

Update my API routes to:
1. Import the rateLimit function
2. Get the user's IP from the request headers
3. Call rateLimit(ip) at the start of each handler
4. If not success, return 429 Too Many Requests with a retry-after header
5. Include remaining requests in the response headers
5

Add environment variables

Add your Upstash credentials to your deployment platform.

UPSTASH_REDIS_REST_URL=https://your-db.upstash.io
UPSTASH_REDIS_REST_TOKEN=your-token-here

Common errors

Redis connection refused

The Upstash URL or token is wrong.

Fix: Copy the REST URL and REST Token (not the standard Redis URL) from the Upstash console.

Rate limit not resetting

The sliding window interval is too long.

Fix: Adjust the window size. For API routes, 10 requests per 10 seconds is a good default.

All requests share the same limit

Every request uses the same identifier.

Fix: Use the user's IP address or auth token as the rate limit key, not a hardcoded string.

Related guides

boltStripe

How to Handle Stripe Webhooks in a Bolt App

generalCloudflare R2

How to Add File Uploads with Cloudflare R2

cursorRailway

How to Deploy Your Cursor App to Railway

Weekly Newsletter

Get next week's fix before you need it.

Join developers getting weekly vibe coding tips, error fixes, and tool updates.

Subscribe on Substack →