Page MenuHomePhabricator

Change how client credentials are handled in the rate limiter
Open, Needs TriagePublic

Description

In T246270, we set the base rate limit per hour for API calls for with a client ID to 5000 calls per user, "including null (no user)".

This means that for client credentials use, we're spreading an app's usage across maybe hundreds or thousands of devices. This is a disincentive to use client IDs, since the per-IP limit is higher.

We should change this to 5000 API calls per client ID/null/IP address, so that anonymous users with identified apps have the same rate limit as logged-in users.