Public API Without Rate Limiting: The Risks

What this problem means

Your API is reachable from the internet. Without rate limiting, a single client—or attacker—can send unlimited requests. Bots scrape data, abuse your infrastructure, or amplify your cloud and AI API costs. Rate limiting caps how many requests a client can make in a given period.

Why this is dangerous

- Cost amplification: Each request may trigger expensive downstream calls (AI APIs, databases). Unlimited requests = unlimited bills.

- Scraping: Competitors or bad actors can extract your data at scale.

- Denial of service: A flood of requests can overwhelm your servers and take down the service.

Real-world example

A SaaS company exposed a public API for a free tier. A script was written to automate signups and extract data. Within a week, the API was called millions of times. The company had no rate limits, no WAF, and no alerts. The resulting AWS and third-party API bills exceeded $50,000.

How to fix it

1. API Gateway: Use AWS API Gateway, Cloudflare, or similar to enforce throttling per API key or IP.

2. Application-level: Libraries like express-rate-limit (Node.js) or equivalent in your stack.

3. Per-user limits: Tie limits to authenticated users or API keys.

4. Monitor: Set up alerts for unusual traffic patterns.

Tools and configurations

- AWS API Gateway: Built-in throttling and usage plans.

- Cloudflare: Rate limiting rules at the edge.

- express-rate-limit: Simple middleware for Node.js/Express.

- Redis: For distributed rate limiting across instances.

Common mistakes

- Assuming "we're too small to be targeted."

- Only limiting by IP (easily bypassed with proxies).

- No monitoring—discovering abuse only when the bill arrives.

Quick checklist

- [ ] Add rate limiting at API Gateway or application level

- [ ] Set per-user or per-key limits where possible

- [ ] Monitor for anomalous traffic

- [ ] Configure billing alerts as a backstop