There’s no winning here. Sending back a bunch of 429’s is still part of your API. Sure it’s less expensive to do than the operation the client was probably requesting but it’s not free and it’s stateful. For the kinds of bad actors people are talking about in this thread you still want to blackhole them.

All you're doing is offloading the response to a piece of network hardware. It seems like what you're looking for is a technological solution for load management which you're forsaking in favor of a kludge, then blaming the user.

A poorly written bot spamming your site with millions of API requests all getting 400s deserves all the blame.

The solution to someone constantly spamming your phone is not too pick up each call and say “call back later” bit to block their number.

The moment I become AWS and need to support millions of those poorly written bots because they’re my customers I’ll bother.