API Abuse & Bot Protection for SaaS Apps

The API Abuse Problem for SaaS Startups

SaaS APIs face four primary attack vectors. Credential stuffing uses leaked password databases to try thousands of login combinations per minute. Scraping bots extract your data to build competing products. API key theft happens when keys are exposed in client-side code or public repositories. Cost exploitation targets AI-powered endpoints where each API call costs real money -- an attacker can run up thousands of dollars in OpenAI or Anthropic charges in hours.

Startups are particularly vulnerable because they often ship without rate limiting, use permissive CORS, and expose API keys in frontend code generated by AI tools like Lovable, Bolt.new, or Cursor.

Rate Limiting Strategies

The two most practical rate limiting algorithms are token bucket (allows bursts up to a limit) and sliding window (smoother, counts requests over a rolling time period). For most SaaS apps, sliding window is better because it prevents the burst-then-wait abuse pattern.

Implement per-user limits for authenticated endpoints and per-IP limits for public endpoints like login and signup. In Node.js/Express, use the express-rate-limit middleware. For Next.js API routes, use @upstash/ratelimit with Upstash Redis -- it works natively with Vercel Edge Functions and has a free tier covering 10,000 requests per day.

For Supabase Edge Functions, use the Upstash Redis REST client. The key pattern is: check rate limit before processing the request, return 429 Too Many Requests if exceeded, and include Retry-After headers so legitimate clients can back off gracefully.

Bot Detection and Prevention

Cloudflare Turnstile is the best free bot detection solution for startups. Unlike reCAPTCHA, it is privacy-friendly and does not require users to solve puzzles. Add it to login, signup, and password reset pages. Implementation takes about 15 minutes with their React component.

For deeper protection, consider browser fingerprinting to detect automated tools (libraries like FingerprintJS have free tiers), and monitor for behavioral signals like requests without JavaScript execution, missing expected headers, or impossibly fast form submissions.

Protecting AI-Powered API Endpoints

AI API proxying is the highest-cost attack surface for modern SaaS apps. If your app wraps OpenAI, Anthropic, or other AI APIs, every abused request costs you money. Implement token budget limits per user (e.g., 100,000 tokens per day on the free tier), track cumulative usage across requests, and enforce hard spending caps at the provider level.

Protect against prompt injection via API by validating input length, rejecting known injection patterns, and separating system prompts from user input. Rate limit generation endpoints more aggressively than read endpoints -- a reasonable starting point is 10 requests per minute per user for AI generation, versus 60 per minute for data reads.

Auth Endpoint Hardening

Login endpoints are the most attacked surface on any SaaS app. Implement progressive rate limiting: allow 5 failed attempts per account per 15 minutes, then require a Turnstile challenge, then lock the account for 30 minutes. Use generic error messages ("Invalid email or password") to prevent account enumeration.

For password spray protection, track failed logins per IP address across all accounts, not just per account. If a single IP fails login on 10+ different accounts in an hour, block that IP temporarily. Enforce MFA for all accounts with access to sensitive data or admin functions.

Quick Implementation Checklist

Related Resources