Your public API sees bot spikes rotating API keys. How do you defend while minimizing false positives?

Problem Statement

Explanation

Combine identity signals: key, IP/subnet, user agent fingerprints, and behavior features. Apply velocity rules across these dimensions, not just per key. Use progressive challenges (e.g., CAPTCHA or proof-of-work) before hard blocks and add reputation scores that decay over time. Keep allow-lists for partners and offer higher-tier customers dedicated capacity. Always log decisions with reasons for later appeal and model tuning.

Code Solution

SolutionRead Only

score = f(keyRate, ipRate, uaEntropy); if(score>τ) challengeOrBlock();

Practice Sets

This question appears in the following practice sets:

Rate Limiting & Traffic Shaping

Next Question

Master Interviews
Anywhere, Anytime

Your public API sees bot spikes rotating API keys. How do you defend while minimizing false positives?

Problem Statement

Explanation

Code Solution

Practice Sets

Related Questions

Which statement best describes the Single Responsibility Principle?

Open–Closed Principle encourages what practice when adding features?

High-Level Design (HLD) typically focuses on which artifacts?

Which UML diagram best captures interactions over time between components?

Which pairing describes a healthy design goal?

More from System Design

Master Interviews Anywhere, Anytime

Your public API sees bot spikes rotating API keys. How do you defend while minimizing false positives?

Problem Statement

Explanation

Code Solution

Practice Sets

Related Questions

Which statement best describes the Single Responsibility Principle?

Open–Closed Principle encourages what practice when adding features?

High-Level Design (HLD) typically focuses on which artifacts?

Which UML diagram best captures interactions over time between components?

Which pairing describes a healthy design goal?

More from System Design

Master Interviews
Anywhere, Anytime