@powforge/ratelimit
Advanced tools
Proof-of-work rate limiting middleware for Express/Fastify. No API keys, no third-party services. Clients prove computational work to access your API.
Proof-of-work rate limiting for Express APIs. No API keys, no accounts, no third-party services.
Clients solve a SHA-256 puzzle to prove computational work before accessing your API. Solved proofs grant time-limited tokens for subsequent requests.
npm install @powforge/ratelimit
const express = require('express');
const { powRateLimit } = require('@powforge/ratelimit');
const app = express();
// Protect your API with PoW rate limiting
app.use('/api', powRateLimit({ difficulty: 14 }));
app.get('/api/data', (req, res) => {
res.json({ message: 'You proved computational work to get here' });
});
app.listen(3000);
/api/data without proof429 with a SHA-256 challengeSHA256(salt + nonce) has N leading zero bitsX-PoW-Proof: salt:nonce:signature headerX-PoW-Token for subsequent requests (5 min TTL)async function fetchWithPoW(url) {
let res = await fetch(url);
if (res.status === 429) {
const { challenge } = await res.json();
const nonce = await solveChallenge(challenge);
const proof = `${challenge.salt}:${nonce}:${challenge.signature}`;
res = await fetch(url, {
headers: { 'X-PoW-Proof': proof }
});
}
return res;
}
async function solveChallenge({ salt, difficulty }) {
for (let nonce = 0; ; nonce++) {
const hash = await sha256(salt + nonce);
const bits = parseInt(hash.substring(0, 8), 16);
if (bits < Math.pow(2, 32 - difficulty)) return nonce;
}
}
| Option | Default | Description |
|---|---|---|
difficulty | 14 | Leading zero bits (14 = ~16k hashes, <1s) |
tokenTTL | 300 | Token validity in seconds |
challengeTTL | 120 | Challenge validity in seconds |
secret | auto | HMAC signing secret |
skipIf | null | (req) => boolean to bypass PoW |
| Difficulty | Expected Hashes | Browser Time | Use Case |
|---|---|---|---|
| 10 | 1,024 | ~25ms | Light protection |
| 14 | 16,384 | ~350ms | Standard API protection |
| 18 | 262,144 | ~12s | High-value endpoints |
| 20 | 1,048,576 | ~23s | Rate-limit heavy consumers |
Data from empirical experiments on AMD EPYC 7443P. Browser times ~5x slower than server.
Built as part of the Softwar thesis research, testing proof-of-work as a universal access control mechanism.
MIT
FAQs
Proof-of-work rate limiting middleware for Express/Fastify. No API keys, no third-party services. Clients prove computational work to access your API.
The npm package @powforge/ratelimit receives a total of 13 weekly downloads. As such, @powforge/ratelimit popularity was classified as not popular.
We found that @powforge/ratelimit demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Product
Socket MCP now lets AI assistants review org alerts, investigate threats using the Socket threat feed, and inspect package files in addition to dependency scoring.
Product
Socket Firewall blocks malicious VS Code and Open VSX extensions before install, protecting developers from compromised editor marketplaces.
Research
More than 140 Mastra npm packages were compromised in a supply chain attack that used a typosquatted dependency to deliver a cross-platform infostealer during installation.