When making anonymous requests to the helix API, the only way, as far as I can see, that the rate limit can be calculated is using the client ID, which we pass in through the header. My concern is that this client id can be easily stolen during the OAuth handshake. Furthermore, according to RFC6749, section 2.2, the client id should not be considered a secret.
The concern that I have it that once a particular client ID is obtained by a bad actor, they can perform a denial of service attack on our application by making frequent Twitch API calls, thereby exhausting the rate limit.
I have a few questions:
Are anonymous rate limits counted separately to authenticated rate limits? Or do they work in a similar way to the moderator/ non-moderator IRC limits?
Would you consider using a client-secret proof for anonymous requests instead of the client id alone? This can be an option that we turn on per app, so that when turned on, an anonymous request must provide the client-secret proof instead of the client id. There are probably many ways that this proof can be generated, and hashing the client-id and the client-secret (maybe with a nonce) is one way to generate such a proof.