API open endpoint best practices


I am currently developing an API for my front-end React application. All my routes (besides the two I’ll mention below) are secure by the use of JWTs. They get generated once a user logs in and is then used for the remainder of the session. The app to API connection will be over HTTPS so it should hinder MiTM attacks.

The two endpoints (which you have probably guessed) is the login and register endpoint. I have come across this question that suggests using HMAC. If I understand it correctly, the front end will create a hash (using a shared secret) of the request body and send it with the request; once the request arrives the API will generate a hash (with the same shared secret) based off of the request and compare the two hash values. If they don’t match then the request was tampered with or is fraudulent.

So that obviously verifies the integrity of the requests made. The other problem is now that, anyone can just spam the hell out of the endpoint and effectively DoS/DDoS the endpoint. Even though the requests are fraudulent, the request will still be tried to be verified on the API side by calculating the hash. Which takes compute power. So if I am getting a lot of requests, very quickly, it will drag my API down.

Would it be right to say that I need to rate-limit the endpoint based on the request IP address? Say limit the call to 10 per hour from a specific IP address? Would appreciate any feedback with regards how to stop the spamming of the endpoints.