[Reference](https://python.plainenglish.io/how-i-protect-my-fastapi-apis-from-abuse-6b382e69a371)

In [1]:
pip install slowapi

Collecting slowapi
  Downloading slowapi-0.1.9-py3-none-any.whl.metadata (3.0 kB)
Collecting limits>=2.3 (from slowapi)
  Downloading limits-5.6.0-py3-none-any.whl.metadata (10 kB)
Collecting deprecated>=1.2 (from limits>=2.3->slowapi)
  Downloading Deprecated-1.2.18-py2.py3-none-any.whl.metadata (5.7 kB)
Downloading slowapi-0.1.9-py3-none-any.whl (14 kB)
Downloading limits-5.6.0-py3-none-any.whl (60 kB)
[2K   [90m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[0m [32m60.6/60.6 kB[0m [31m1.2 MB/s[0m eta [36m0:00:00[0m
[?25hDownloading Deprecated-1.2.18-py2.py3-none-any.whl (10.0 kB)
Installing collected packages: deprecated, limits, slowapi
Successfully installed deprecated-1.2.18 limits-5.6.0 slowapi-0.1.9


In [2]:
pip install redis

Collecting redis
  Downloading redis-6.4.0-py3-none-any.whl.metadata (10 kB)
Downloading redis-6.4.0-py3-none-any.whl (279 kB)
[?25l   [90m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[0m [32m0.0/279.8 kB[0m [31m?[0m eta [36m-:--:--[0m[2K   [91m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[0m[91m╸[0m [32m276.5/279.8 kB[0m [31m9.0 MB/s[0m eta [36m0:00:01[0m[2K   [90m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[0m [32m279.8/279.8 kB[0m [31m6.0 MB/s[0m eta [36m0:00:00[0m
[?25hInstalling collected packages: redis
Successfully installed redis-6.4.0


In [3]:
from fastapi import FastAPI, Request
from slowapi import Limiter, _rate_limit_exceeded_handler
from slowapi.util import get_remote_address
from slowapi.errors import RateLimitExceeded

limiter = Limiter(key_func=get_remote_address)
app = FastAPI()
app.state.limiter = limiter
app.add_exception_handler(RateLimitExceeded, _rate_limit_exceeded_handler)

@app.get("/api/data")
@limiter.limit("5/minute")
async def get_data(request: Request):
    return {"message": "This endpoint is rate limited"}

limiter = Limiter(
    key_func=get_remote_address,
    headers_enabled=True
)

In [4]:
from fastapi.responses import JSONResponse
from datetime import datetime

@app.exception_handler(RateLimitExceeded)
async def custom_rate_limit_handler(request: Request, exc: RateLimitExceeded):
    reset_timestamp = getattr(exc, "reset_time", None)
    retry_after = int(reset_timestamp - datetime.now().timestamp()) if reset_timestamp else 60

    return JSONResponse(
        status_code=429,
        content={
            "error": "rate_limit_exceeded",
            "message": "Too many requests. Please try again later.",
            "retry_after_seconds": retry_after,
            "resets_at": datetime.fromtimestamp(reset_timestamp).strftime("%I:%M %p") if reset_timestamp else None,
        },
        headers={
            "Retry-After": str(retry_after),
            "X-RateLimit-Limit": str(exc.detail.limit.amount),
            "X-RateLimit-Remaining": str(exc.detail.remaining),
            "X-RateLimit-Reset": str(int(reset_timestamp)) if reset_timestamp else "",
        },
    )