How do I add rate limiting to an MCP server?

Add middleware to your server's request handler that tracks requests per client using an API key or session ID. Use a token bucket algorithm with modest capacity and refill rate as a starting point. For distributed setups, store counters in Redis instead of memory.

What rate limits should I set for MCP?

Start with a conservative rate per agent as a baseline. Set a suitable burst capacity to handle quick sequences like directory listing followed by multiple file reads. Tighten limits on expensive operations like database queries or AI inference, and loosen them on cheap reads.

Can MCP servers limit per-agent usage?

Yes, if your server uses HTTP or SSE transport with authentication. Track usage by API key or Bearer token to enforce unique limits per agent. For stdio transport, per-agent limiting is harder since there's typically one agent per connection, but you can still apply global caps.

How do I prevent MCP server abuse?

Combine rate limiting with authentication and audit logging. Require API keys for all connections, set conservative default limits, and monitor for agents that consistently hit the ceiling. If an agent is looping, the logs will show repeated calls to the same tool with the same parameters.

MCP Server Rate Limiting: Implementation Guide for Production

What Is MCP Server Rate Limiting?

MCP server rate limiting is the practice of controlling how frequently AI agents can invoke tools and access resources through a Model Context Protocol server. It prevents abuse, manages costs, and ensures fair usage across multiple agents. Traditional API rate limiting is designed for human-driven apps that make a few requests per second. MCP servers face a different problem. Large Language Models call tools autonomously, and they do it fast. When an agent encounters an error, it often retries immediately, sometimes dozens of times in a few seconds. Without a rate limiter acting as a circuit breaker, these loops can overwhelm your server and any downstream APIs it depends on. A basic rate limiter tracks requests per client over a time window and rejects anything above the threshold. For MCP, this means tracking by API key, session ID, or agent identifier, then returning a clear error when limits are exceeded.

Helpful references: Fast.io Workspaces, Fast.io Collaboration, and Fast.io AI.

Why Rate Limiting Matters for Production MCP Servers

Moving an MCP server from local development to production without rate limiting is asking for trouble. AI agents create load patterns that look nothing like human traffic.

Cost control is the biggest reason. An unthrottled MCP server can rack up 1,000+ API calls per minute from a single agent. If those calls hit a paid API (email sending, database queries, web scraping), your bill grows fast. Rate limiting can reduce MCP server costs by cutting redundant and looping requests.

System stability is the second reason. When one agent enters a retry loop, it can consume all available connections or memory, causing timeouts for every other agent on the server. A rate limiter isolates the damage to the misbehaving agent.

Fair multi-agent access is the third. If you run a shared MCP server with multiple agents connecting, per-agent limits prevent any single agent from starving the others. This matters in team environments where several agents might work on different tasks at the same time.

Dashboard showing audit logs of AI agent activity and request volume

Rate Limiting Algorithms for MCP

Three algorithms cover most MCP rate limiting needs. Your choice depends on whether you prioritize burst handling, strict quotas, or smooth throughput.

Token Bucket

The token bucket adds tokens at a fixed rate (the refill rate) and removes one token per request. If the bucket is empty, the request is rejected. This approach handles bursts well because the bucket can accumulate tokens during idle periods. ```python import time

class TokenBucket: def init(self, capacity: int, refill_rate: float): self.capacity = capacity self.tokens = capacity self.refill_rate = refill_rate # tokens per second self.last_refill = time.monotonic()

def allow(self) -> bool: now = time.monotonic() elapsed = now - self.last_refill self.tokens = min(self.capacity, self.tokens + elapsed * self.refill_rate) self.last_refill = now if self.tokens >= 1: self.tokens -= 1 return True return False


A good starting configuration for MCP: modest bucket capacity for bursts with a refill rate of a few tokens per second for sustained throughput. This lets agents do quick bursts like listing a directory and reading several files, while capping long-term throughput.

### Fixed Window Counter

Fixed windows split time into fixed intervals and count requests per interval. Once the count hits the limit, everything is rejected until the next window starts.
- **Best for**: Hard cost caps where you have a strict hourly or daily quota
- **Downside**: Susceptible to bursts at window boundaries. An agent could send 100 requests at second 59 and another 100 at second 61, effectively doubling throughput

### Sliding Window Log

A sliding window tracks the exact timestamp of each request and counts how many fall within a rolling window. It avoids the boundary problem of fixed windows but uses more memory since you store individual timestamps.
- **Best for**: Precise rate enforcement on high-value endpoints
- **Downside**: Higher memory usage per client

For most MCP servers, **token bucket is the best default**. It handles the bursty nature of LLM tool calls while maintaining a predictable average rate.

Implementing Rate Limits in Your MCP Server

Adding rate limiting to an MCP server follows four steps: identify the caller, pick a storage backend, define your rules, and return clear errors.

Step 1: Identify the Caller

MCP supports multiple transports, and identification works differently for each:

Streamable HTTP / SSE: Use API keys, Bearer tokens, or session IDs from the HTTP headers
Stdio (local): Limit by process ID or apply a single global limit since there's typically one agent per stdio connection

For remote MCP servers, require authentication and use the API key as your rate limiting key. This gives you per-agent tracking out of the box.

Step 2: Pick a Storage Backend

Single server: An in-memory dictionary or Map works fine. Reset on restart is acceptable since rate limit state is temporary.
Multiple servers: Use Redis or a similar shared store. Each server needs to see the same counters to enforce limits consistently.

Step 3: Define Your Rules

Start strict, then loosen as you observe real usage:

Default: several requests per minute per agent
Burst: Allow a burst of requests (token bucket capacity)
Heavy tools: Apply tighter limits to expensive operations (file uploads, AI queries) and looser limits to reads (file listing, metadata)

Step 4: Return Clear Errors

MCP uses JSON-RPC, not HTTP status codes. When an agent hits a limit, return a JSON-RPC error with a descriptive message:

{
  "jsonrpc": "2.0",
  "id": 42,
  "error": {
    "code": -32029,
    "message": "Rate limit exceeded. Try again in 3 seconds.",
    "data": {
      "retryAfter": 3,
      "limit": 60,
      "window": "1m"
    }
  }
}

Including retryAfter in the error data helps properly built agents back off automatically instead of hammering the server.

Visualization of network traffic and data processing nodes

Skip the Build with a Managed MCP Server

Building rate limiting, authentication, and monitoring into your own MCP server takes effort. If you'd rather spend that time on your agent's actual logic, a managed server handles all of this for you. Fast.io's MCP server ships with 251 tools for file storage, search, and RAG, all with built-in protection:

Usage credits as natural throttling: The free agent tier gives you 5,000 credits per month. Each operation costs a predictable number of credits (100/GB stored, 212/GB transferred, 1 credit per 100 AI tokens), so your spending is always bounded.
Audit logging: Every tool invocation is logged with the agent identity, timestamp, and parameters. You can review agent behavior after the fact without building your own logging pipeline.
Per-agent isolation: Each agent gets its own account with its own credit pool. One agent's heavy usage doesn't affect another's.
50GB free storage: No credit card, no trial expiration. Agents sign up the same way humans do. The server supports Streamable HTTP and SSE transports, works with Claude, GPT-4, Gemini, LLaMA, and local models, and requires zero server-side code on your part.

Monitoring and Adjusting Your Limits

Rate limiting isn't a set-and-forget configuration. Agent behavior changes as you update prompts, add new tools, or connect new agents. Revisit your limits regularly.

Watch Your Rejection Rate

If more than 5-10% of requests are being rejected, your limits may be too tight. Agents that need to list a directory and then read several files in quick succession will hit a low burst limit. Increase the token bucket capacity before increasing the sustained rate.

Detect Stuck Agents

An agent consistently hitting the rate limit for minutes at a time is probably caught in a loop. The limiter is protecting your server, but you also need to fix the root cause. Common fixes:

Add better error handling in the agent's prompt so it stops retrying on permanent failures
Set a maximum retry count in your agent framework
Use exponential backoff: wait 1 second, then 2, then 4, instead of retrying immediately

Per-Tool Limits

Not all tools are equal. A list_files call that returns cached metadata is cheap. A run_query call that hits a database is expensive. Consider different rate limits per tool category:

Read operations (list, search, metadata): 120/minute
Write operations (upload, delete, move): 30/minute
AI operations (RAG query, summarize): 10/minute

Log Everything

Keep logs of rate limit events, including which agent was limited, which tool it was calling, and how long the limiting lasted. These logs are your best tool for tuning limits and catching misbehaving agents early.

How to Implement MCP Server Rate Limiting