Anonymous Access to a REST API?

Question

REST APIs are often accessed with an API token in the Authorization header of requests. If users have an account, they can simply be provided with a token that is associated with their account. Rate limiting can then be applied on this basis.

However, there may be cases where a REST API needs to be accessed by users who do not have an account. Imagine, for instance, a public news website, the articles of which should be available to read to users with and without accounts. In such cases, how should the REST API be accessed, and rate limiting be applied?

My immediate thought was that anonymous clients could access a resource like POST /api/register/anonymous and be granted an API token intended for anonymous users with limited permissions. The resource itself could be rate limited on the basis of an IP address. However, this doubtless has its limitations, such as the unreliability of IP addresses.

Any thoughts on this matter would be much appreciated.

Answer 1

I'd love to be proven wrong, but I don't see how you can effectively rate-limit anonymous access. If you provide an anonymous token, an attacker can just request a new one when the old one hits the limit. If you limit by IP address, they can spoof. If you're just looking to stop random internet users, either or both are fine. If you're concerned about a dedicated attacker, those are just speed bumps. Adding a CAPTCHA when requesting the anonymous access token would also reduce the attack surface.