---
title: Authenticated route use expensive APIs without rate limiting
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Authenticated route use expensive APIs
  without rate limiting
---

# Authenticated route use expensive APIs without rate limiting
 
## Description{% #description %}

This API makes use of third-party services paid for per request and does not implement any rate-limiting protection.

A malicious user could abuse this endpoint to incur significant costs, exceed your quota, and potentially disrupt your application.

## Rationale{% #rationale %}

This finding works by:

- Identify an endpoint using a third-party paid service as a part of its operations, [see the following list of services](https://docs.datadoghq.com/security/default_rules/appsec-expensive_apis/#strategy) that fall in this category.
- There is no business logic rate limiting rule associated with this endpoint

## Remediation{% #remediation %}

- Set up rate-limiting using a [detection rule](https://docs.datadoghq.com/security/application_security/policies/custom_rules/#business-logic-abuse-detection-rule) on this API.
- Require a challenge to prevent automated traffic and slow down resource exhaustion
- Keep track of this sensitive business flow by [adding business logic information](https://docs.datadoghq.com/security/application_security/how-it-works/add-user-info/?tab=set_user#adding-business-logic-information-login-success-login-failure-any-business-logic-to-traces) to the endpoint