We maintain an API at https://go.tallyfy.com/api served via Cloudflare.
In order to use our API, clients need to do an OAuth 2.0 authentication and they receive a session-id.
That unique session ID is used for all subsequent API calls - it’s a token, and has an expiration date.
We want to write a Cloudflare worker which reads a session ID and rate-limits any calls by that session ID to 10 calls/second.
Note that normal rate-limiting only rate-limits by IP - whereas we want to rate-limit by session token ID.
How would we do it, assuming we need to store the “current calls/second” somewhere as well?