I have a query about how Rate Limits are applied to better understand best practice for sending requests to the Web API.
Are rate limits calculated usingstrictly Client IDor are there other factors? A couple of scenarios:
If one access token was being used heavily, would this have an affect on whether rate limiting would apply for that access token and/or generally for the whole app (other access tokens)?
Are rate limits also applied on a per-user basis (e.g: If (a) token(s) authorizing one user of the app were heavily sending requests, would that be likely to affect users authorized by other tokens)?
Would rate limits differ if the requests are made from different IP's?
Do rate limits differ depending on how the access token was authorised (Which flow was used; Authorization Code/Client Credentials/Implicit Grant)?
The reason behind these questions is I'm trying to understand whether it would be best to offload some requests to client-side where this can be done rather than performing it all on the backend. Also, correct me if I'm wrong but it seems that now all of the endpoints of the Web API require authentication of some sort (Which would all be authenticated via the Client ID)?