rate limit ai endpoint

Rate-limit your AI endpoint by abuse, not IPs

Coming soon

Wrap any public or LLM-powered endpoint, set a limit, and let FormShield catch multi-account abuse and cap the bill before it runs away.

Start free Read the docs

The problem

One abuser can drain your token bill overnight

A single abuser cycling IPs, keys, or throwaway accounts can blow past per-IP rate limits and run your token bill into the ground overnight. Naive rate limiting either throttles real users or misses the distributed abuse that actually costs you money on LLM-backed routes.

How it works

Wrap the endpoint, get a decision, cap the cost

One POST in front of the resource you want to protect — FormShield scores the caller for abuse and enforces your limit at the decision boundary.

Wrap the endpoint

Call POST /v1/meter from in front of the resource you want to protect — a chat completion, a support-bot turn, an expensive search, any public route. Pass an identifier for the caller (user id, session, IP) and the limit you want to enforce.

FormShield scores the request

We correlate the caller across IPs, sessions, and accounts to detect one actor wearing many hats, not just count requests per key. You get back an allow / throttle / block decision plus the abuse signals behind it.

Cap cost before it runs away

Set a budget per identity or per window and FormShield enforces it at the decision boundary, so a runaway loop or a coordinated abuse campaign hits the cap instead of your invoice.

What you get

Abuse correlation and cost caps, not just request counts

Metering links one actor across IPs, sessions, and accounts, enforces a budget per identity, and returns a clear allow / throttle / block decision on the same edge path as the rest of FormShield.

Multi-account abuse correlation

Links requests that share fingerprint, network, and behavioral signals so the same actor cycling fresh accounts or rotating IPs counts as one — the failure mode plain per-IP limits miss.

Cost caps for LLM endpoints

Enforce a credit or budget ceiling per identity and per window. The biggest win is putting a hard lid on token spend for chat and support bots before a single abuser drains it.

Allow / throttle / block decisions

Every call returns a clear action plus a verdict and confidence, so you decide whether to serve, slow down, or reject — no opaque 429 with no reason attached.

Distributed enforcement at the edge

Runs on the same edge path as the rest of FormShield, so the limit check adds little latency and works the same whether traffic hits one region or many.

The call

One request in, a metered decision out

A caller 38% over a 100-per-hour limit returns throttle with a multi_account_abuse verdict and the linked identities behind it. The endpoint shape is in development — final fields may change.

curl https://api.formshield.dev/v1/meter \
  -H "Authorization: Bearer $FORMSHIELD_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "resource": "chat.completion",
    "identity": { "user_id": "u_4821", "ip": "203.0.113.42" },
    "limit": { "max": 100, "window": "1h" }
  }'

{
  "version": "1",
  "data": {
    "action": "throttle",
    "verdict": "multi_account_abuse",
    "confidence": 0.91,
    "usage": { "count": 138, "limit": 100, "window": "1h" },
    "linked_identities": 6
  },
  "error": null,
  "metadata": { "request_id": "req_9f2c1a", "processing_time_ms": 22 }
}

Metering is in development behind POST /v1/meter. Join the waitlist to get early access and help shape the limit and budget model.

Join the waitlist See live products

FAQ

Common questions

Coming soon: call POST /v1/meter in front of your LLM route with a caller identity and a limit. FormShield correlates the caller across IPs, sessions, and accounts and returns allow / throttle / block, so distributed abuse against a single endpoint is caught even when each IP looks under the limit. Join the early-access waitlist to try it on your endpoints.

Metering is not live yet — it's in development behind the POST /v1/meter endpoint. It's the next FormShield surface after our live IP, email, content, and Voight products. Join the waitlist from the dashboard to get early access and help shape the limit and budget model.

At launch, Metering will cost 2 credits per decision — each POST /v1/meter call that returns an allow / throttle / block verdict. Credits are the same shared balance used across FormShield, billed per service rather than per raw request, so you can mix Metering with your other checks on one plan.

Stop fighting spam by hand

One API call. IP, email, content & behavior signals in a single intelligence platform. Start free, no credit card required.

Start Free View Docs