Allow for multiple API rate limits to be configured on a single API (domain, method, path) where the order tries to match the first config in the list. For example:

1. GET to /order/stuff on www.mysite.com has a default rate limit of 20/min.

2. GET to /order/stuff on www.mysite.com has a req header specific rate limit of 2/min when the user-agent header is "bad guy signature" and the content-type header is set to "application json"

3. GET to /order/stuff on www.mysite.com has a req header specific rate limit of 2000/min when the user-agent header is "friendly test automation - GUID: 9dd20617-55b6-4a14-8b28-a94576c17bea"

Here we have defined 3 categories of rate limits:

1. legit users

2. known threat actors (bad guys)

3. known friendly test automation (folk from our own team for which we have provisioned a GUID to include in the user-agent as a water mark)

This would allow for rate limits that match legit traffic, tighter rate limits for bad buys, and more relaxed limits for test automation. This allows us to let friendly automation through at a higher rate without having to force them to use a static IP. We can give them a GUID or API key to include in a header and match on that header value to allow them a higher throughput.