For us developers, and more generally for ease of management/evolution, it would be nice to have a way to lift/tune rate limiting for the Web API based on API tokens, rather than on PI addresses only.
At first we don't need a full-fledged key revocation mechanism. We can make do with simply a list of API tokens than we can generate, assign to clients, and look for them in incoming HTTP requests in a header like (inspired by github's use of the header):
$ curl -v -H "Authorization: token SWH_API_TOKEN" https://archive.softwareheritage.org/api/1/stat/counters/
the Web APP will check if SWH_API_TOKEN is in the static, private list of allowed tokens and, if so, bypass throttling. That list will be maintained similarly to how we currently maintain the list of whitelisted IP addresses.
With Django rest framework this can be easily implemented with a custom throttle.