CASE 157 · FATHOM · 2023
API throttling that protects the backend without punishing the user.
A mobile fitness app had API endpoints that occasionally saw runaway client behaviour — a sync bug retrying every 100ms, an off-the-shelf scraper, a bot net learning the auth pattern. Each event hammered the backend. We added API Gateway usage plans with tiered throttling.
Mobile fitness
RELIABILITY
2023
RESULTS
What changed, by the numbers.
BACKEND PRESSURE EVENTS
−93%
LEGITIMATE-USER IMPACT
< 0.01%
CLIENT-BUG MITIGATION
AUTO
COST CHARGEBACK
POSSIBLE
HOW IT WENT
The previous rate-limiting had been "WAF rate-based rules on IP," which doesn’t work for mobile clients behind carrier NAT — large numbers of legitimate users share IPs. The team had been turning down the WAF limit and getting legitimate-user complaints, or turning it up and getting backend stress.
API Gateway usage plans throttle per API key, not per IP. Each app build gets a key with a tier-appropriate rate (and a 5x burst). Misbehaving clients throttle themselves; legitimate clients never hit the limit. WAF still catches IP-based abuse outside the API key surface.
Backend pressure events dropped 93% year-over-year. Legitimate-user impact stays under 0.01% — the tier limits are well above sustained-use thresholds. The per-key metrics open up future capabilities like per-customer cost chargeback and abnormal-usage detection.
RELATED · SAME DOMAIN
Other engagements in this space.
READY WHEN YOU ARE
Let's get your AWS bill (and architecture) in order.
The discovery call is free. You walk away with at least one concrete idea — even if we never work together.