I'm providing a service on my website that uses a 3rd party api (the API calls are performed on the backend). this service is available to all site visitors and they don't have to sign in or be members on my site. (actually, this 3rd party call is part of a validation perform I perform during user sign up)
So each time a visitor uses my service, I'm performing an API call in the backend.
Therefore, if a visitor decides to abuse my service - he can send as many requests as he wants and max out my 3rd party API usage limit in less than a minute.
My question is - How can I identify a site visitor (that is NOT logged in) and prevent them from making more than X amount of requests to a specific backend function ? (the solution needs to be on the backend on not on the client side, obviously).
I need a way to identify the visitor (IP address / cookie / something else) in order to limit the amount of calls they can perform to backend function, even though they're not logged in yet.
How should I approach this ?