I'm building a web app that has an API endpoint that basically just calls GPT-3. I make ajax calls to the endpoint from the web app (all running on the same domain). The basic app is freely usable by unregistered users. What's the best way to prevent abuse?
I'm currently limiting calls per IP, but have recently noticed one user is generating endless new IPv6 addresses to get around the restrictions.
I thought about using invisible captcha or something, but obviously that doesn't work if they can just hit the /api/blah url. Should I be using cloudflare or something like that?
Any help or advice would be much appreciated. Thanks!
You should limit it per /64, If that fails lower the subnet one by one for the abusive range.
Why not require registration and in turn authentication? Easier to rate limit with authentication.