A malicious user can put us out of business by consuming all URL keys in the current design. To prevent abuse, we can limit users via their api_dev_key. Each api_dev_key can be limited to a certain number of URL creations and redirections per some time period (which may be set to a different duration per developer key).
I assume most users of the url-shortening service are actually unregistered users. What’s the industry standard of preventing the aforementioned abuses against unregistered users? Would that be via cookies or IP addresses or something?