Hello Jungwonpark,

Yes, there is a hard limit function available on RapidAPI and we have tried it as well. Unfortunately, we cannot implement it because it allows users to create multiple fake accounts without needing to put their credit card details. The last time when we did this, some malicious user from Singapore created dozens of fake accounts to get more number of free API calls per month. Hence, we now stick to soft limit.

To ensure that you don’t exceed your free API calls, you can keep track of it in a count variable, and put a condition in your code to not to make API calls if count > 150.

Coming to your second question … preventing malicious users on a website depends on how the website is structured and deployed. For example, it would be a really bad idea to put your RapidAPI Key on a static website, in the frontend code. You must always keep your API Key a secret and use it in backend. Never exposing it.

If you need any help in the development or have any questions related to Medium API, feel free to contact me at nishu@mediumapi.com

Regards
Nishu