APIs are highly susceptible to automated abuse, scraping, credential stuffing, and DoS attacks (OWASP API4: Unrestricted Resource Consumption).

• Per-User/Per-IP Limiting: Enforce quotas based on the authenticated User ID, or the IP address for public endpoints. Return 429 Too Many Requests.
• Burst Protection: Use algorithms like Token Bucket or Leaky Bucket to allow short bursts of traffic while capping the sustained rate.
• Resource-Based Limits: Not all endpoints are equal. A password reset endpoint should have a much stricter rate limit than a static data fetch. In GraphQL, calculate query complexity to prevent nested query attacks.