@stevenroose I'd say you could implement it as a generic HTTP proxy. Making it a language- and application agnostic API protection. Probably even poosible as SaaS.
Clients would need to implement though. But it could even be configured progressive, to remain backwards compatible. As in '5 requests per minute allowed without PoW-header, unlimited with such a header'.
Now, if only someone with more time liked this concept as much as I do...
The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!