API Abuse Real Example: The Cost

What this problem means

API abuse is when someone—a bot, scraper, or attacker—uses your API in ways you didn't intend. They extract data, rack up costs, or overwhelm your servers. Without rate limits and alerts, you often discover it when the bill arrives.

Why this is dangerous

- Cost explosion: Each request may trigger expensive downstream calls. Unlimited requests = unlimited bills.

- Data loss: Scrapers extract your proprietary data.

- Downtime: A flood of requests can take down your service.

Real-world example

A SaaS company exposed a public API for a free tier. A script was written to automate signups and extract data. Within a week, the API was called millions of times. The company had no rate limits, no WAF, and no alerts. The resulting AWS and third-party API bills exceeded $50,000. They discovered the abuse when the invoice arrived.

How to fix it

1. Rate limiting: Cap requests per IP, API key, or user. Start with 100-500 requests per minute.

2. WAF rules: Block known bad user agents, suspicious IPs, and datacenter ranges.

3. Billing alerts: Set up alerts at 50%, 80%, and 100% of expected spend.

4. Monitor: Check usage dashboards weekly for anomalies.

5. Backend for keys: Never put API keys in frontend code.

Tools and configurations

- Cloudflare: Rate limiting, bot management, WAF rules.

- AWS API Gateway: Built-in throttling.

- express-rate-limit: Application-level rate limiting.

- Billing alerts: AWS Budgets, provider dashboards.

Common mistakes

- Assuming "we're too small to be targeted."

- No rate limits or alerts.

- Discovering abuse when the bill arrives.

Quick checklist

- [ ] Add rate limiting per IP and API key

- [ ] Set up billing alerts

- [ ] Monitor usage weekly

- [ ] Use WAF for known bad actors

- [ ] Never put API keys in frontend code