Can someone point to me to any documentation that explains the rate limit for the customerRecover mutation on the Storefront API? There seems to be something else in play other than the normal time-based leaky bucket logic. I sometimes get only a single request, sometimes maybe two or three before getting the error "Resetting password limit exceeded. Please try again later." It seems to take several minutes before allowing requests again.
We are trying to use this endpoint to support a "forgot my password" link in a separate app, so the query is being made on a central server. My guess is that the Storefront API is making the assumption that each IP address is a unique customer, but because these requests are being proxied through a server it is being viewed as a single customer, and (maybe?) they only want customers making a single request to reset a password.
If we had to, we could transfer this request to the client rather than proxying it, but I think that would mean exposing the Storefront Access Token which makes it—effectively—public and pointless.
So I guess my two questions are:
Can someone point to me to any documentation that explains the rate limit for the customerRecover mutation on the Storefront API?
If there's no great server-side solution, is there a way to make calls to the Storefront API in a way that doesn't expose the Storefront Access Token? (Temporary access tokens, for example?)