I want to be able to throttle token requests for invalid secrets to prevent brute forcing. Can anyone point me to a reference that describes how to go about that?