Every public-facing API service should have API usage limits. If this seems overkill then ask yourself if would it be OK if a single IP sends a million requests a second.
This does not apply just to publicly documented services but even to undocumented services that are publicly accessible.

The usage limits can be based on multiple factors

  1. IP address
  2. API key – if applicable
  3. Browser user-agent or lack of it

What should the limits be?

Just use Google API limits as a starting number.