@joint-ops/hitlimit

@joint-ops/hitlimit

Rate limiting that doesn't slow you down.

4.08M ops/sec at 10K unique IPs. Zero dependencies. One line to protect any Node.js API.

npm install @joint-ops/hitlimit

app.use(hitlimit())  // That's it. 100 req/min per IP.

Works with Express, Fastify, Hono, NestJS, and native HTTP — no config, no adapters to install, no boilerplate.

Docs · GitHub · Benchmarks

30 Seconds to Production

Express

import express from 'express'
import { hitlimit } from '@joint-ops/hitlimit'

const app = express()
app.use(hitlimit({ limit: 100, window: '15m' }))

Fastify

import { hitlimit } from '@joint-ops/hitlimit/fastify'
await app.register(hitlimit, { limit: 100, window: '1m' })

Hono

import { hitlimit } from '@joint-ops/hitlimit/hono'
app.use(hitlimit({ limit: 100, window: '1m' }))

NestJS

import { HitLimitModule, HitLimitGuard } from '@joint-ops/hitlimit/nest'

@Module({
  imports: [HitLimitModule.register({ limit: 100, window: '1m' })],
  providers: [{ provide: APP_GUARD, useClass: HitLimitGuard }]
})
export class AppModule {}

Native HTTP

import { createHitLimit } from '@joint-ops/hitlimit/node'

const limiter = createHitLimit({ limit: 100, window: '1m' })
const server = http.createServer(async (req, res) => {
  const result = await limiter.check(req)
  if (!result.allowed) return res.writeHead(429).end()
  res.end('OK')
})

What You Get

Tiered limits — Free, Pro, Enterprise in 4 lines:

hitlimit({
  tiers: { free: { limit: 100, window: '1h' }, pro: { limit: 5000, window: '1h' } },
  tier: (req) => req.user?.plan || 'free'
})

Auto-ban — Ban repeat offenders automatically:

hitlimit({ limit: 100, window: '1m', ban: { threshold: 5, duration: '15m' } })

Custom keys — Rate limit by IP, user, API key, or anything:

hitlimit({ key: (req) => req.headers['x-api-key'] || req.ip })

Shared limits — Team-wide quotas with group:

hitlimit({ limit: 10000, window: '1h', group: (req) => req.user.teamId })

Skip rules — Whitelist health checks, admins, internal routes:

hitlimit({ skip: (req) => req.path === '/health' || req.user?.role === 'admin' })

Pick Your Store

Every store is built in. Swap one line — your rate limiting code stays the same.

               Single Server                          Multi-Server
          ┌──────────────────────┐          ┌──────────────────────────┐
          │  Memory  │  SQLite   │          │  Redis   │  Postgres    │
          │  (default)           │          │  Valkey  │  MongoDB     │
          │                      │          │  Dragonfly  MySQL       │
          └──────────────────────┘          └──────────────────────────┘
             No persistence         Your existing infrastructure, zero lock-in

Store	Ops/sec	Latency	When to use
Memory	4,082,874	245ns	Single server, no persistence needed
SQLite	404,135	2.5μs	Single server, need persistence
MongoDB	2,161	462.8μs	Multi-server / NoSQL infrastructure

Redis, Valkey, DragonflyDB, Postgres, and MySQL are network-bound (~200–3,500 ops/sec). Benchmarks at hitlimit.jointops.dev/docs/benchmarks.

The pattern is always the same

import { hitlimit } from '@joint-ops/hitlimit'
import { ______Store } from '@joint-ops/hitlimit/stores/______'

app.use(hitlimit({ store: ______Store({ /* connection config */ }) }))

Memory — default, zero config

app.use(hitlimit()) // that's it

SQLite — survives restarts, single server

import { sqliteStore } from '@joint-ops/hitlimit/stores/sqlite'
app.use(hitlimit({ store: sqliteStore({ path: './ratelimit.db' }) }))

Peer dep: better-sqlite3

Redis — distributed, atomic Lua scripts

import { redisStore } from '@joint-ops/hitlimit/stores/redis'
app.use(hitlimit({ store: redisStore({ url: 'redis://localhost:6379' }) }))

Peer dep: ioredis

Valkey — open-source Redis fork, drop-in replacement

import { valkeyStore } from '@joint-ops/hitlimit/stores/valkey'
app.use(hitlimit({ store: valkeyStore({ url: 'redis://localhost:6379' }) }))

Peer dep: ioredis

DragonflyDB — Redis-compatible, higher throughput

import { dragonflyStore } from '@joint-ops/hitlimit/stores/dragonfly'
app.use(hitlimit({ store: dragonflyStore({ url: 'redis://localhost:6379' }) }))

Peer dep: ioredis

PostgreSQL — use your existing database

import { postgresStore } from '@joint-ops/hitlimit/stores/postgres'
app.use(hitlimit({ store: postgresStore({ url: 'postgres://localhost:5432/mydb' }) }))

Peer dep: pg

MongoDB — NoSQL, TTL indexes, MEAN/MERN stacks

import { mongoStore } from '@joint-ops/hitlimit/stores/mongodb'
import { MongoClient } from 'mongodb'

const client = new MongoClient('mongodb://localhost:27017')
const db = client.db('myapp')
app.use(hitlimit({ store: mongoStore({ db }) }))

Peer dep: mongodb

MySQL — SQL distributed, LAMP stacks

import { mysqlStore } from '@joint-ops/hitlimit/stores/mysql'
import mysql from 'mysql2/promise'

const pool = mysql.createPool('mysql://root@localhost:3306/mydb')
app.use(hitlimit({ store: mysqlStore({ pool }) }))

Peer dep: mysql2

Performance

vs Competitors (Memory Store, 10K unique IPs)

Library	Ops/sec
hitlimit	4,082,874	████████████████████
rate-limiter-flexible	1,261,659	██████
express-rate-limit	824,030	████

This is the memory store comparison — the default for all three libraries. For Redis, Postgres, and cross-store breakdowns, see the full benchmark results. Controlled-environment microbenchmarks with transparent methodology. We report scenarios where competitors beat us. Run them yourself.

Migrating?

// express-rate-limit → hitlimit
- import rateLimit from 'express-rate-limit'
- app.use(rateLimit({ windowMs: 60000, max: 100 }))
+ import { hitlimit } from '@joint-ops/hitlimit'
+ app.use(hitlimit({ window: '1m', limit: 100 }))

Full migration guide in the docs.

Related

• @joint-ops/hitlimit-bun — Bun-native variant with native bun:sqlite

License

MIT