Rate limit requests

We currently don't limit the rate that clients can make requests to the API, beyond that of the DDoS protection offered by the WAF. We should introduce a mechanism to limit API requests by a rate defined per client.