You are designing a rate-limiter for an external-facing AI inference API. The API serves both self-serve developers and large enterprise customers, and traffic is highly bursty because requests fan out from downstream applications and agent workflows. You need a design that protects latency and GPU capacity during spikes without unfairly throttling high-value tenants or making the platform feel unreliable. The tricky part is balancing per-user fairness, per-organization quotas, model-specific capacity limits, and graceful degradation when shared infrastructure is under pressure.
How would you design a rate-limiter for an external-facing AI inference API?