Enforce a configurable rate limit on the API to mitigate abuse (#261)