Hi @Dewey_Munoz
As discussed in the previous points by the author, both IP-based and user-based rate limiting has some drawbacks when used independently. For example, IP-based
rate limiting can impact users when using public IPs. Similarly, user-based
rate limiting can have negative consequences in the case of wrong login attempts exceeding a specific throttle.
When used together, the pros and cons of both complement each other, and the resulting rate-limiting mechanism works better. In this case, the rate limit applies to a specific instance of both the user and IP information, rather than just one. The API service will generate a new authentication token for a user using a particular IP address, despite someone trying to log into the same user’s account using a different IP address and have exceeded the limit already.