Comment by thayne

I can't find any documentation that says Anubis does this, (although it seems odd to me that it wouldn't, and I'd love a reference) but it could do the following:

1. Store the nonce (or some other identifier) of each jwt it passes out in the data store

2. Track the number or rate of requests from each token in the data store

3. If a token exceeds the rate limit threshold, revoke the token (or do some other action, like tarpit requests with that token, or throttle the requests)

Then if a bot solves the challenge it can only continue making requests with the token if it is well behaved and doesn't make requests too quickly.

It could also do things like limit how many tokens can be given out to a single ip address at a time to prevent a single server from generating a bunch of tokens.