Or, for some of the applications that are shared with many users and have one Client ID. Do you mean per IP/OAuth per Client ID? Because, the Client-ID is public data, all I have to do is snatch one from some-popular-service and DDoS them. I may have misread what you said too, not enough coffee today!