What harm would come of a client firing mass get requests at the server?
A client firing mass GET requests at our API would actually be less resourse intensive than a client firing mass GET requests at the main site (which they could do) because the API is so heavily cached. And probably not any more harm from the DoS attacks we get on a very regular basis. Our network sits behind a load balancer that distributes requests across a handful of web servers, and is well protected, thanks to James #1 :) You'd really need to put a lot of effort in to hurt us.