In a distributed system, you want the API layer to be stateless. So the app can offload rate limiting to a redis instance. This way, you can use the INCR to both increment and return the number of requests a given IP/Client/API Key has made across any number of App / serverless instances.
However, what do you do if the limit isn't roundable to the current second/minute/hour/day? How does each instance agree which key to use? The answer is to modulo the previous and future keys to find the right one.
For example, 3 requests every 5 seconds
is the desired limit. That means we can use -max-1:+max-1
as the range of values to scan to find the key we should use.
max := 5