Pulsegate sits in front of every API you run and makes the call on each request before it reaches your code — authenticate, rate-limit, route, shield. All four checks add 90µs at the median, run at the edge in 40 cities, and never let a burst from one customer take down the rest.
In the request path for teams that can't afford a noisy neighbor
Most gateways bolt rate limiting onto a reverse proxy as an afterthought, then make you choose between accuracy and speed. Pulsegate runs auth, limiting, routing, and abuse defense as one compiled decision at the edge — so the request that should never reach your servers never does.
Every PoP shares one synchronized counter, so a customer's 10,000/min limit means 10,000 across the whole planet — not 10,000 per region. Sliding-window and token-bucket algorithms, accurate to the request, settled in under a millisecond. No leaky local approximations, no double-spend across edges.
Verify API keys, JWTs, HMAC signatures, and OAuth scopes at the first hop. An expired token or a key without the right scope gets a clean 401 from the edge — it never costs you an origin round trip, a database lookup, or a single CPU cycle on your servers.
Set a different limit for every API key, route, method, and plan tier. Burst allowances for trusted partners, hard ceilings for free accounts, separate budgets for write endpoints — defined as policy, enforced everywhere, changed without a redeploy.
Credential-stuffing floods, scraper swarms, and retry storms get spotted by traffic shape, not just IP. Pulsegate fingerprints the pattern, challenges or blocks it at the edge, and keeps the bad request away from the limit that protects your real customers.
Throttle instead of drop: shed low-priority traffic first, queue what can wait, and serve a cached response when the origin is hot. Decide per route whether to fail open or fail closed when the limiter itself can't reach quorum — your reliability posture, not ours.
Measured on production traffic, under real bursts
Limits, auth, and routing live in one declarative policy file you version in Git. Push it, and every edge picks up the change in seconds — no proxy reload, no per-region config drift, no 2am window to roll out a new tier.
Express rate, burst, window, and scope in a few lines of YAML. Pulsegate compiles it to a decision that runs in microseconds at every PoP.
Change a partner's quota or block a leaked key and the new rule is enforced worldwide in under five seconds. No deploy, no cache to bust.
Every throttled response carries RateLimit-Remaining, RateLimit-Reset, and Retry-After per the IETF draft, so well-behaved clients back off on their own.
Front Lambdas, Kubernetes services, a monolith, or a third-party API. Pulsegate routes by host, path, and weight without caring what's behind it.
A rate limiter isn't a feature you appreciate on a quiet Tuesday. It's the thing standing between one misbehaving integration and an incident channel at the worst possible moment.
A partner ships a bug, a retry loop turns into 50,000 requests a second. Pulsegate caps it at their tier in microseconds — their integration gets clean 429s, every other customer never notices a thing.
Free accounts get 1,000 calls a day, Pro gets 10,000 a minute, Enterprise gets a custom burst window. The gateway enforces the plan you sell, so your pricing page and your infrastructure finally agree.
A botnet tries a million stolen keys against /auth. Pulsegate spots the shape, blocks it at the edge, and your login service stays cool — instead of buckling under traffic it was never built to absorb.
Your AI endpoint costs real money per call. Set a tight budget on it specifically, throttle the abusers, and let paying customers through — so a scraper can't run up a five-figure inference bill overnight.
“We ran rate limiting in Redis behind our own proxy. It was accurate in one region and a guess across three. Pulsegate gave us one global counter that's correct to the request, and we deleted 4,000 lines of limiter code we were terrified of.”
“A partner's retry storm used to mean a page and a manual block. Now the gateway throttles it the instant it starts and the rest of the API never feels it. I've stopped getting woken up for traffic that isn't even ours.”
“Moving auth to the edge cut our origin load by a third overnight — every bad token now dies at the first hop instead of hitting our service. The 90-microsecond number is real; we measured it ourselves before we believed it.”
Billed on requests evaluated at the edge — allowed, throttled, or blocked all count the same. Every plan reaches all 40 cities. No surcharge for traffic spikes, because spikes are the whole point.
For a side project or your first gateway.
For production APIs that get hammered.
For high-volume, regulated front doors.
Each edge keeps a local view and reconciles against a shared, replicated counter on every decision. The synchronization is sub-millisecond, so a 10,000-per-minute limit holds true across all 40 cities at once rather than allowing 10,000 in each. You get global accuracy without routing every request through a single region.
You choose per route. Fail-open lets traffic through unthrottled if the limiter can't reach quorum — best for read paths where availability beats precision. Fail-closed rejects rather than risk an unprotected origin — best for expensive or sensitive endpoints. The gateway is also multi-PoP, so a single city failing just routes around itself.
The full decision — auth, rate limit, routing, and abuse check — adds 90 microseconds at the median and stays under 0.4 milliseconds at the p99, because it runs as one compiled step at the edge nearest the caller. For most APIs the gateway is faster than the DNS lookup that found it.
Yes. Limits are scoped by API key, route, HTTP method, and plan tier, in any combination. Give a trusted partner a generous burst, cap free accounts hard, and put a separate tight budget on your most expensive endpoint — all as declarative policy that propagates worldwide in seconds.
Point your DNS at Pulsegate and define your routes — it sits transparently in front of the origin you already run. Most teams shadow production traffic first to confirm parity, then cut over with no code change. Your existing keys and JWT issuer keep working; you're just moving the decision to the edge.
Alongside. A CDN caches content; Pulsegate governs API calls — authenticating, limiting, and routing dynamic requests a CDN was never built to reason about. Many teams run Pulsegate behind their CDN for static assets and in front of every API route that needs a decision.
Point a domain at Pulsegate, write one policy file, and watch the first request get a verdict in 90 microseconds. Free to start, no card, no sales call.