- People request access and get an API key associated with a given load threshold, or don't use an API key and default to some low threshold
- Anything that SQL EXPLAIN says is over the threshold returns an error
- Successful requests' load costs and execution time (and possibly CPU, if that can be determined) count toward a usage rate limit
- An SQL parser implements the subset of SQL you deem safe and acceptable and forms a last-resort firewall
Obviously this is a complex solution; I'm curious what people's opinions are on whether this would overall be simpler or more difficult in the long run.