Hi Charles, I'm also not sure about the motive of this attack. But as he mentioned, that his friend (who didn't know much programming) was using it. So he might've mistakenly over-used it. But there is a strong possibility that he might be trying to steal my database.

There is no way (and no reason) to limit the number of IPs that can use an API (that's why we have API keys for authentication and authorization).

As far as usage limit is concerned, I did put a soft limit on the BASIC plan. That mean, after 1000 free calls per month, the user is charged $0.03 per call as the overage fee.

I did not put any hard-limit because I didn't want to constrain my users.

https://rapidapi.com/learn/rapidapi-hub-consumer/introduction/subscribing-api

Their API Gateway is just for tracking the usage of the API for a particular user. Nothing else.