Find a way to identify each user (via userId). Create a centralized map of (userID => queue of timestamps}. For each request, write the timestamp of the request to the user's specific timestamp queue. If the size of the timestamp queue for that user is over the rate limit (500 reqs), reject the request. Otherwise, allow the request. Have a job that runs every minute that purges timestamps from each user's queue that is not within the time window of the last 10 minutes.