Rate Limiting Wasn't Enough — So I Built an API Gateway with Behavioral Abuse Detection

Real rate limiting, Bloom filters, credential stuffing detection, and the bugs that almost broke everything. Live demo included. GitHub: macaulaypraise/api-gateway-with-abuse-detection Live demo: api-gateway-with-abuse-detection.onrender.com/docs As someone transitioning into backend engineering, I wanted to build something that went beyond tutorials. I didn't want a CRUD app. I wanted something that would teach me how real systems defend themselves — something I could point to in an interview and say: "I built this from scratch and I know exactly why every line exists." That project became an API Gateway with Abuse Detection — a FastAPI service that sits in front of upstream backends and actively detects credential stuffing, scraping bots, and known-bad actors. Here's a technical breakdown of how it works, the decisions behind it, and the real bugs that nearly cost me my sanity. What the System Does Every request passes through a six-step middleware chain in this exact order: 1. Reque