The systems I trust most are the ones that know how to say not right now — gracefully, and on purpose.
Saying no is a design decision
Backpressure isn't the system breaking. It's the system refusing to pretend it has capacity it doesn't. A queue that grows without bound is just deferring a failure to a worse moment, usually under more load and with less context.
Concretely, that means:
- Bounded queues with explicit drop or reject policies.
- Load shedding that protects the critical path first.
- Clients that treat a
429as information, not insult.
Designed-in limits turn a cliff into a slope. The work that gets rejected loudly today is the outage that doesn't happen tonight.