[dzhiurgis]

Slightly related question about API keys that rely on referer (say Google Vision) - what stops me using curl to spoof referer and rake in thousands in someone’s bill (15 cents per 1k recognitions)?

I assume there’s some IP based quota, but I haven’t seen a knob for that on GCP at least.

[zitterbewegung]

This should be enforced on your server and you shouldn’t have clients directly connecting to a service like Google Vision. I have a system that uses AWS lambda so that I don’t have to distribute my 3rd party API keys but I still have to add rate limiting.

[dzhiurgis]

You are missing my point entirely.

[spydum]

typically APIs can implement rate limits at various levels. Your IP may get throttled when they see it trip over an individual referrers quota.