What have others done to prevent someone (or a bot) from using your account’s APIs constantly, resulting in potentially very expensive bills? Is there already a configurable time-based call limit on the FlightXML side? I am trying to figure out a way to prevent this scenario but still allow legitimate API calls to go through.
Your server backend should be designed to be able to cache requests that are common between users and reuse a recent, previously issued FlightXML request. Your backend should simultaneously be enforcing what ever rate limiting goals or cumulative request totals that you want.
Note that we do not recommend that FlightXML be directly invoked as an AJAX request within your webpage, since that prevents you from being able to cache and reuse responses between different users. It also makes it difficult to ratelimit or monitor total number of API requests across all of your users. Finally, it makes it difficult to secure and control access to your API key, since you must embed that within your publicly readable Javascript source code.