Token bucket rate limiting (per user, per IP, per API key). - Request validation (reject malformed requests early, before they reach business logic). - Adaptive throttling: under load, reduce rate limits dynamically.