API rate 

Add a module configuration item apiRate which control the number of comments that can be create by all users per second.

User API rate

Add another module configuration item userApiRate which control the number of comments that can be create by a specific user per second.
In the case of an authenticated user, we will use the user id to identify the user.
In the case of an anonymous user, we will use the request IP address (if available), otherwise the JSESSIONID cookie.

Error

When one of the limit (API rate or User API rate) is reached, the server returns a 429 HTTP error code. The error message should state whether the API rate was exceeded or if the user API rate was exceeded.

As it's complex to apply limitation on anonymous access (IP spoofing, ...), the API rate will act a safe guard to make sure that the underlying API service does not get overloaded.