"As an Administrator, I want to define a maximum number of API calls that can be made with a given API key during a particular period of time, so I can plan for and manage API traffic usage."
"As a Client Developer, I want to have an explicit pool of API calls I can make, so I can plan on more reliable API support."
These are two ways of looking at rate limits, from two personas.
Note that this only covers API calls that come through the API gateway, and not all API traffic (yet). A rate limit is defined as number of API calls per time period; these are not yet fixed, and will probably be adjusted over time, so should be variable. All API calls count the same. Just one hard limit (no soft limit). Limit is by key, not by developer account (developers can have multiple keys).
For MVP, we'll have the following rate limit values:
Default rate limit class: 5000 API calls/hour per client ID/user ID pair (with null user ID counting as a pair here)
Preferred rate limit class: 25,000 API calls/hour per client ID/user ID pair
Internal rate limit class: 100,000 API calls/hour per client ID/user ID pair
Anonymous (no client ID) rate limit: 500 API calls/hour per IP address