Draft-8 Multi-Quota Rate-Limited Endpoint

Expose an HTTP endpoint that applies two independent request quotas and surfaces draft-8 standard rate-limit metadata so clients can understand each quota and their hashed partition keys.

Capabilities

Draft-8 quota metadata

• The /quota response returns draft-8 RateLimit and RateLimit-Policy headers with quota names for both a route-wide window (1 minute, 20 requests) and a per-user window (10 seconds, 3 requests) @test

Aggregated headers from multiple limiters

• When both quotas apply to a single request, the response includes two RateLimit-Policy entries and two RateLimit entries, one per quota, rather than collapsing them into a single header @test

Partition hashing per identity

• RateLimit metadata exposes partition tokens that are not the raw client identifier (taken from the X-User-ID header when provided), confirming hashed partition keys in the draft-8 headers @test

Exhaustion reflected per quota

• After three rapid requests with the same X-User-ID, the per-user quota blocks the fourth call with HTTP 429 while the route-wide quota still reports remaining capacity in its RateLimit entry @test

Implementation

@generates

API

import type { Express, RequestHandler } from "express";

/**
 * Builds an Express server exposing a GET /quota endpoint.
 * Attaches two rate limiters configured for draft-8 headers:
 * - Route-wide: 20 requests per minute.
 * - Per-user: 3 requests per 10 seconds keyed by X-User-ID.
 */
export function createServer(): Express;

/**
 * Reusable middleware that applies both limiters so it can be mounted on other routes.
 */
export const applyQuotaLimits: RequestHandler;

Dependencies { .dependencies }

express { .dependency }

HTTP server framework for routing and response handling.

express-rate-limit { .dependency }

Draft-8 standard header emitting rate limiting middleware that supports multiple limiters with quota identifiers and hashed partition keys.