When a VPN provider used the same exit IP for hundreds of users and my rate limits throttled legitimate API partners — the partner allowlist system I built

API rate limiting is a critical component for ensuring fair use and protecting infrastructure from abuse. But what happens when a legitimate partner is caught up in a rate limit meant to deter exploitative behavior? This is the story of how one developer encountered such a problem due to a VPN provider funneling traffic through a single IP—and the allowlist system that was built to fix it.

TLDR

A third-party VPN provider routed hundreds of users through a shared exit IP, triggering aggressive rate limit throttling designed to block abuse. Unfortunately, some of these users were accessing the API through a legitimate, high-volume partner. The unintentional blocking caused degraded service for that partner. To resolve the issue, an IP allowlisting system was developed to identify and exempt trusted partners from generic rate limits, improving accuracy and trust inside the ecosystem.

The Discovery: Rate Limits Misfire

It all started with a routine alert: a well-respected data partner began reporting degraded performance when accessing an API service. Response times were inconsistent, and occasionally, requests were being outright throttled. At first glance, this seemed improbable—the partner was on a dedicated integration and had explicit permission for high-throughput querying.

Server logs revealed the issue: the majority of the requests from this partner were coming from a single IP address. That same IP had recorded thousands of non-partner requests, most of them seemingly random or scripted accesses hitting public resources but clearly within the API limits for anonymous traffic. All those requests—from bots, trial accounts, and free users—were being funneled through this singular IP.

A deeper IP geo-trace revealed the source: a well-known VPN provider. The partner’s development team had required their users to access data via a secured, cloud-deployed VPN gateway, purely for traffic inspection and policy enforcement.

Unfortunately, this VPN exit IP was shared by many other users as well, and that was causing an entirely legitimate API partner to be choked by blanket rate limiting.

Understanding the Impact

Rate limits are designed under the assumption that one IP equals one user or one application instance. This model collapses when VPNs or proxies are introduced. Suddenly, a single IP address might represent hundreds—or even thousands—of different users.

In this particular case, the VPN exit node had hit the general-purpose threshold limiter, meaning traffic through it was throttled regardless of authentication level. The rate-limiting engine wasn’t smart enough to distinguish between traffic from anonymous users and sanctioned, high-throughput partners because both were coming from the same location.

The partner was understandably frustrated. They had gone through the proper channels: signed agreements, secure tokens, compliance auditing. Yet they were treated like speculative bots due to IP ambiguity.

The Root Problem

The existing rate-limiting system used two major controls:

• IP-based limits: to restrict excessive usage from unknown sources
• Token-based limits: to prevent abuse even on authenticated calls

While token-based controls remained effective, IP-based rate limiting still kicked in before tokens were verified in some parts of the pipeline—especially during resource-intensive pre-flight checks. This setup was efficient for catching brute-force traffic but not sophisticated enough to account for edge cases like shared VPNs.

Designing a More Intelligent Solution

The answer wasn’t to eliminate IP limitations entirely; that would invite abuse. Rather, a more nuanced system had to be introduced: one that categorized and exempted traffic for known, reliable partners.

This birthed the concept of an “Allowlist.” Not a traditional IP allowlist per se, but a contextual system that allowed traffic based on a mix of trust weight, source token, partner ID, and optionally, IP when it aided auditability.

Key Features of the Allowlist System

• Partner Profiles: Each partner is registered with a unique partner ID linked to issued authentication tokens.
• Trusted IP Mapping: Partners can register IPs (such as VPN exit nodes) that are explicitly tied to specific kinds of traffic.
• Rate Limit Overrides: Using the context of the request, known trusted maps are cross-checked before default rate limits are applied.
• Audit Trails: Request logs include allowlist decisions, creating testable and revisable records of throttling avoidance.

In this new system, requests can be fast-tracked if they match a trusted matrix of partner token and known IP. This doesn’t simply give them unlimited access—it grants access through a separate and better-calibrated rate regime.

Implementation Challenges

Developing the allowlist wasn’t as trivial as adding a few IP checks. Several system components—the API gateway, the rate limit engine, and analytics—had to be updated to:

• Pass partner ID context throughout the request lifecycle
• Support conditional branching in rate application logic
• Safely share allowlist data with edge services without exposing sensitive config

Eventually, a lightweight service was deployed within the internal infrastructure to cache and serve allowlist data to other microservices through a signed HTTP protocol. Using HMAC hashing for validation, this minimized unnecessary DB calls and protected the allowlist from tampering.

The Outcome

Once deployed, the results were instantaneous. The affected partner’s performance returned to normal, and similar issues were preemptively neutralized by allowing other known partners to register their trusted VPN IPs.

In addition, no new surge in abuse was observed. Bad actors with no tokens still triggered ordinary IP-based rate limits. The allowlist system had created a bifurcated protection stream: strict for anonymous users, optimized for partners.

Lessons Learned

This incident reinforced the idea that while automation and rules are essential, context is king. Systems that track authentication, IP, and request patterns together will always outperform blunt one-size-fits-all defenses.

And perhaps more importantly, success in API relationships is not just about performance or data—it’s also about trust and support. The allowlist system showed partners that their access was valued and safeguarded against collateral damage.

Frequently Asked Questions (FAQ)

• Q: Why not simply remove IP-based rate limits for all users?
  A: IP-based rate limiting still serves as a first line of defense against abuse. Removing it universally would open the door to brute-force attacks and bot-driven misuse.
• Q: Could spoofing the allowlist be a vulnerability?
  A: The allowlist is cross-validated with partner tokens and HMAC-signed requests. Both context and origin must match for overrides to take effect.
• Q: Can partners dynamically update their IPs in the allowlist?
  A: Yes. An internal dashboard allows partners to request IP changes via a monitored support flow, subject to approval and review.
• Q: How do you monitor abuse within allowlisted partners?
  A: All allowlisted traffic is still logged and analyzed. Misuse patterns trigger reevaluation of allowlist eligibility and may lead to temporary suspension.
• Q: What if the same exit IP gets used by a malicious actor?
  A: If the IP is mapped to multiple entities, trust decisions fall back on tokens and behavioral analysis to prioritize legitimate traffic.

The journey from frustration to a resilient solution highlights the layered thinking required in modern API ecosystems. Striking the right balance between security and usability is never one-and-done—it’s a continuous process of adapting to real-world usage at scale.