Every public-facing API service should have API usage limits. If this seems overkill then ask yourself if would it be OK if a single IP sends a million requests a second.
This does not apply just to publicly documented services but even to undocumented services that are publicly accessible.
The usage limits can be based on multiple factors
- IP address
- API key – if applicable
- Browser user-agent or lack of it
What should the limits be?
Just use Google API limits as a starting number.