How do you implement API rate limiting?

Rate limiting controls request frequency to protect resources. Algorithms: Token Bucket (tokens replenish at rate, spent per request - allows bursts), Leaky Bucket (constant rate outflow), Fixed Window (count per time window - boundary issues), Sliding Window (rolling count - smoother). Store counters in Redis/memory. Identify by API key, IP, user ID. Return 429 Too Many Requests with Retry-After header. Consider: different limits per endpoint/tier, distributed systems synchronization, graceful degradation.