API endpoints brute force protection/rate limiting
I would like to know how to protect API endpoints and if it's possible at all. Let's say that I want define some "brute force protection" for API endpoints but they are not login pages. There is no username/password. I will add some use cases below.
1. Specific API endpoint - /api/this_is_a_single_endpoint/do_something.
I want to define X requests for IP or user during X minutes and then block for X minutes
As workaround I can create virtual and positional parameters and "force" specific endpoint to be a login page. This works but it's not nice solution.
2. API endpoints with wildcard - /api/*
Let's say that I want achive same - X requests for IP or user during X minutes and then block for X minutes. Is there any way how to do it?