Why limit at all
Without limits, a single client can:
- Burn your database to the ground in 30 seconds
- Run up a $20K cloud bill before you wake up
- Starve every other user of API capacity
- Probe for vulnerabilities at 10K req/s
Rate limits are how you set boundaries โ per user, per endpoint, per IP, per API key โ that protect the service from any one caller. They don't replace authentication or DDoS protection; they sit alongside both. A well-limited API can survive bad clients, runaway scripts, and accidental loops without paging anyone.
