I deployed an API that uses limiter on Google Cloud Run. On separate devices with different IP addresses, when I hit the rate limit on one device, the limit is hit on the other device. I have verified the two devices have different IP addresses by searching "my ip" in a browser on both devices. So it seems that the IP address or the key used for the store is the same.

Hello,

Do you have a reverse proxy in front of tour API ?

Not to my knowledge. Maybe Google Cloud Run is doing something I'm not aware of.

I made a rate limited test endpoint that prints the ip of the request and they are different on different devices, so there doesn't seem to be a proxy.

Yeah, pretty sure Google Cloud Run uses a reverse proxy. The different IP is not an argument because it's a best practice to have multiple reverse-proxy for availability.

You should use the TrustForwardHeader option so the library will look at X-Real-IP and/or X-Forwarded-For headers to uses the public IP address.

But be careful, if Google Cloud Run doesn't have a reverse proxy, and my diagnosis is wrong, this could leave you with potential IP spoofing for your limiter.

Thanks, that seems to have fixed the issue!