We are design an analytics logging API for our JS application. What bothers us is spamming prevention. I can't come up with a better way than rate limiting to prevent someone else use a fake client and spam the API. Is there something I missed here? What are some best practices on this? What do generic services, say Google Analytics, solve the problem?