We have 2 rate limiting policies:
IP + API_key and
API_key. Both have a limit of 100 requests per minute. In the
IP + API_key policy, if an invalid API key is provided, only the IP is recorded usage of the API. Because of the
API_key policy, distinct users of the same role of an instance should use different API keys. For example,
Trustee-2 who both reference the same instance could use the same API key for serving the instance properly, but this would trigger rate limiting for the API key because the trustees are sharing quotas.