I'm not talking about rate limiting (only allowing X requests per timeframe etc). Therefor we can use API gateways or other tools.
What I mean are the restapi specific settings, like max number of batched items per query or the activated services. We have use cases where we don't need to get content details, catalog queries, workflow or whatsoever, just some custom services for synchronizing or getting some specific data or posting to easy form forms. Being able to activate/deactivate those services per Plone site using the registry and a control panel would be a huge benefit IMO.
Ok, this is indeed a different use case. Sorry I got that wrong at first. Enabling/disabling individual services or even limit certain paramaters/return values might be a slippery slope. I agree that this might be a useful feature. Though, I also see the risk that we overengineer the REST API by adding configuration options for every possible use case.
The most simple use case would be to have a registry entry per service endpoint and then allow administrators to enable/disable those. What if you want to enable/disable service endpoints for specific users only? We kind of already have ZCML to do more sophisticated things than a simple enable/disable. Would it be really useful to do those things TTW? Otherwise, you could just create a custom profile that disables service endpoints via ZCML, right?
When we talk about more sophisticated limits, things get even more complex. We would need lots of configuration options that usually would fit only a very specific use case and we might end up with a lot of options that need to be documented and taken into consideration when working with the REST API.
I am just thinking out loud here. I do not have a definite answer and I'd be open if someone wants to explore this. Though, I am a bit sceptic about being able to accomplish what we aim for without overengineering the REST API.
I have been working on updating ftw.tokenauth for Plone 5 and python3 and already sent a PR with the updates.
I have also created REST API endpoints to create, delete and list service-keys so that the product can be used easily with Volto. See pull-requests: Pull requests · 4teamwork/ftw.tokenauth · GitHub