php 58 lines · 8 steps

A fixed-window rate limiter on APCu

A small PHP class counts requests per key in shared memory and resets the count after a fixed time window.

Explained by highlit

Intermediate rate-limiting fixed-window caching shared-memory ttl

1<?php
2 
3namespace App\Security;
4 
5use RuntimeException;
6 
7final class ApcuRateLimiter
8{
  public function __construct(
      private readonly int $limit = 60,
      private readonly int $window = 60,
      private readonly string $prefix = 'ratelimit:'
  ) {
      if (!\function_exists('apcu_inc')) {
          throw new RuntimeException('APCu extension is not available.');
      }
  }
18 
  public function attempt(string $key): bool
  {
      return $this->hits($key) <= $this->limit;
  }
23 
  public function hits(string $key): int
  {
      $bucket = $this->prefix . $key;
      $success = false;
      $count = apcu_inc($bucket, 1, $success);
29 
      if (!$success || $count === 1) {
          apcu_store($bucket, 1, $this->window);
          return 1;
      }
34 
      return $count;
  }
37 
  public function remaining(string $key): int
  {
      $current = (int) apcu_fetch($this->prefix . $key);
      return max(0, $this->limit - $current);
  }
43 
  public function retryAfter(string $key): int
  {
      $info = apcu_key_info($this->prefix . $key);
      if ($info === null) {
          return 0;
      }
      $expiresAt = $info['creation_time'] + $info['ttl'];
      return max(0, $expiresAt - time());
  }
53 
  public function clear(string $key): void
  {
      apcu_delete($this->prefix . $key);
  }
58}

01 / 01

STEP 01

Walkthrough

Space play ←→ step click any line

Three takeaways

1An atomic increment is the heart of a rate limiter — it lets concurrent requests share one counter without races.
2The fixed-window scheme is implemented by attaching a TTL only when the counter first appears, so it expires and resets automatically.
3Separating attempt, remaining, and retryAfter gives callers everything they need to enforce limits and build informative responses.

Related explainers

php

<?php
 
namespace App\Support;

Locale-aware formatting with PHP's intl extension

internationalization encapsulation constructor-injection

Intermediate 7 steps

php

<?php
 
namespace App\Support;

Merging query params onto a URL in PHP

url-parsing query-strings immutability

Intermediate 8 steps

php

<?php
 
class ImageUploadService
{

Validating file uploads safely in PHP

file-upload input-validation security

Intermediate 8 steps

python

import time
from collections import defaultdict
from threading import Lock

Sliding-window login rate limiting in Flask

rate-limiting sliding-window thread-safety

Intermediate 7 steps

javascript

const RATE_LIMIT = 100;
const WINDOW_MS = 60 * 1000;
const BLOCK_MS = 5 * 60 * 1000;

Building a rate-limiting middleware in Express

rate-limiting middleware closures

Intermediate 9 steps

php

<?php
 
namespace App\View;

Building a safe HTML escaper in PHP

security xss escaping

Intermediate 6 steps

Share this explainer

Here's the card — post it anywhere.

A fixed-window rate limiter on APCu — share card

Made with highlit — turn any snippet into a walkthrough like this in about a minute.

Explain your code