Learning Centre

Rate-Limit Decision Matrix

Back to learning

Rate limiting is not just a threshold. A useful limit names the route, the key being counted, the interval, the action, and the cost of being wrong.

An IP-only rule can still help, but it is rarely enough for account and API abuse. Real users share networks. Attackers rotate through residential proxies, mobile networks, cloud exits, and automation frameworks. The rate-limit design has to match the way the abuse actually moves.

Start with the route

Different routes deserve different limits:

Route type Example risk Typical decision
Login Credential stuffing, password spraying, account enumeration Count failures, challenge, throttle, or block by risk context
Password reset Inbox flooding, recovery abuse, account takeover setup Lower thresholds, monitor target account, delay risky follow-up actions
Search or catalogue Scraping, expensive origin work Limit by route, fingerprint, query pattern, and client class
Checkout or payout Fraud, carding, inventory abuse, money movement Combine account, device, session, payment, and network evidence
API export Data exfiltration, partner misuse Limit by token, account, route, data volume, and time window
Admin or configuration Privilege abuse, lateral movement Require strong auth, strict thresholds, and reviewable evidence

The same request volume can be normal on one route and suspicious on another.

Choose the right keys

Useful keys can include:

  • IP address
  • Account ID or user ID
  • Session ID
  • API key, OAuth client, or auth header
  • Device or browser fingerprint
  • TLS or HTTP/2 fingerprint
  • ASN, country, or network category
  • Header or cookie value
  • Response outcome
  • Route, method, or action
  • Tenant, partner, or organisation

Keys can be combined. For example, login failures by fingerprint and account target can be more useful than all requests from one IP. API export volume by token and route can be more useful than total requests by account.

Match action to confidence

Rate limits should not jump straight to permanent blocking. Common actions include log, alert, throttle, challenge, delay, temporary block, hard block, or review. The right choice depends on the route, evidence strength, business value, and false-positive cost.

A low-confidence signal on a public product route may only need logging. The same signal on password reset, payout, data export, or API-key creation may justify stronger friction.

Keep the evidence visible

Operators need to know:

  • Which rule fired
  • Which key was counted
  • Which route and method were involved
  • What action was taken
  • How many legitimate users were affected
  • Whether origin pressure, fraud, or account abuse changed

Without that feedback, rate limiting becomes guesswork. With it, teams can tune thresholds, split noisy routes, lower false positives, and identify when attackers have moved to another path.

Peakhour's Advanced Rate Limiting is most useful when it is attached to this decision matrix: route, key, signal, action, metric, and review path.

Related Articles

AI Crawler User Agents

A practical reference for common AI crawler user agents, operators, purposes, and recommended Peakhour bot-management actions.

AI For Cybersecurity

AI For Cybersecurity explains the concept in the context of AI security, with practical checks and mitigation considerations for site operators.

AI Image Generation

AI Image Generation explains the concept in the context of AI security, with practical checks and mitigation considerations for site operators.

© PEAKHOUR.IO PTY LTD 2026   ABN 76 619 930 826    All rights reserved.