Just add rate limiting, a single line in nginx and most server libraries would cover this. More sophisticated attackers (using multiple IP, hiding fingerprints) aren't going to bother with a site like this (probably lol)

The code that got him wasn't a "bot" it was just a script that spawned a couple children and had them all hit the API on loop.