Stripe Staff Software Engineer — Rate Limiter at Billions RPS

It tests whether you can design and defend a distributed rate limiter at billions of API calls per day with a sub-5ms p99 latency budget. The interviewer probes algorithm choice (token bucket versus sliding window counter), Redis failure semantics (fail-open versus fail-closed), hot-key handling, multi-region consistency, and operational rollout. The bar is whether they would trust you to be on-call for the system you just designed at 3am during a payments outage.

Lock down requirements before drawing any boxes. Pin the throughput target (1M-10M rps per region), the latency budget (under 5ms p99 added to every API call), the fail-open versus fail-closed default, and the multi-region scope. Then propose one algorithm and one storage layer with a named tradeoff against the alternatives. Only then descend into hot keys, partition behaviour, and rollout. Close with a one-paragraph summary naming the limitations you have not yet addressed.

The recurring rejection patterns are: jumping to architecture before pinning non-functional requirements, picking sliding window log without acknowledging the memory cost, proposing a single global Redis without naming the SPOF risk, ignoring hot-key fan-out, quoting throughput numbers without a latency budget, switching answers immediately under pushback, and staying at box-and-arrow level without operational rollout, dashboards, runbooks, or kill switches.

Acknowledge the hot key explicitly, do not assume uniform load. The Stripe-style response is to fan the single bucket out into N sub-buckets, route requests across them with a secondary hash, and aggregate counts on read. This sacrifices precision (each sub-bucket only sees its slice) for throughput, which is the right tradeoff because the over-permit on a misbehaving key is bounded and small. Pair it with a circuit breaker for keys above a threshold.

Token bucket naturally accommodates bursts, and real API workloads are bursty. A Stripe checkout fires several quick API calls in a 500ms window. Leaky bucket throttles those bursts and degrades UX. Sliding window log is the most precise but its memory cost is O(requests) per key, which is prohibitive at billions of keys. Token bucket holds one tokens-and-timestamp pair per key in Redis and the read-modify-write fits cleanly in a Lua script for atomicity.

Stripe published this in its rate-limiter blog post: fail-open by default for the request-rate limiter, fail-closed for the concurrent limiter. The reasoning is that the request-rate limiter exists to prevent abuse, and a brief Redis outage that lets through a few extra requests is far better than killing all API traffic. The concurrent limiter protects downstream worker pools from saturation, so failing closed there is the safer default. Name the business consequence of being wrong before picking.

Each region runs its own Redis cell and enforces rate limits locally. Cross-region reconciliation is asynchronous and eventual, not synchronous. Synchronous cross-region quorum would add 100ms or more to every API call and break the latency SLA on /v1/charges. The accepted tradeoff is that a customer can briefly exceed a global limit by a small factor while their traffic is split across regions. State this AP-over-CP stance explicitly with the business reasoning.

The AI mimics a Stripe Staff Engineer on API Infrastructure. It will not praise your answers or confirm if you are right. It will listen for the specific reasoning beats (requirements first, algorithm tradeoff, distributed failure modes, operational rollout, recalibration under pushback) and probe the ones you skip. It will deliberately push back on a correct decision once to test your conviction. Switching answers immediately reads as low conviction.

Scoring evaluates six dimensions: requirements disambiguation, algorithm and data-structure tradeoff, distributed failure-mode coverage, hot-key and operational rollout, recalibration under pushback, and customer-facing API design (Retry-After, X-RateLimit headers, exponential backoff with jitter). You are graded on the specificity of your evidence and the quantitative grounding of your back-of-envelope math, not on diagram aesthetics or buzzword count.

Pin functional requirements (what is being rate-limited: API key, IP, customer ID, endpoint) and at least three non-functional requirements (throughput target per region, latency budget the limiter must hit, fail-open versus fail-closed default). State the multi-region scope. Ask the interviewer one clarifying question on consistency expectations. Only then sketch a candidate architecture. Do not draw any boxes before this is on the page.

A strong answer names the specific tradeoff being made and the alternative being rejected, with a concrete reason. For example: 'I am picking token bucket over sliding window log because sliding window log is O(requests) per key in memory, which at one billion active keys and a 60-second window costs us terabytes of Redis memory, while token bucket is a 16-byte pair per key.' The pattern is: choice, alternative rejected, quantitative reason, business consequence.