[Feature Request] JWT Claim Extraction for Rate Limiting

[Feature Request] JWT Claim Extraction for Rate Limiting

Use case:
We have a mobile API where every request includes an Authorization: Bearer <JWT> header. The JWT contains claims like user_id, client_id, and device_id that uniquely identify the client/user/device.

IP-based rate limiting is not effective for our case because:

Mobile clients share IPs via NAT or carrier-grade NAT
A single malicious user can abuse the API without triggering IP-based limits
We need to block/rate-limit specific users or devices, not entire IP ranges

Concrete scenario:
Our API endpoints have configurable rate limits per client. A specific client_id may exceed the allowed number of requests within a given time window. SafeLine currently cannot identify this as a violation because it only tracks by IP — so the backend receives all requests and gets overloaded. We want SafeLine to return HTTP 429 once the threshold is exceeded for that client_id.

What we need:
The ability to extract a specific claim from the JWT payload (e.g. sub, user_id, client_id, device_id) and use it as the rate-limit key in SafeLine's rate limiting configuration.

Fallback request:
If full JWT parsing is complex to implement, we'd also be satisfied with the ability to rate-limit based on a custom request header value, such as:

X-Client-Id
X-Device-Id
X-RateLimit-Key

This would allow us (or our API Gateway) to forward the relevant identifier as a plain header, and SafeLine would use it as the rate-limit key.

Why this matters:
The goal is to offload rate limiting and early filtering to the WAF layer, reducing load on the API Gateway. Without this feature, JWT-aware rate limiting must be handled deeper in the stack, defeating the purpose of having a WAF in front.

This is a very common requirement for mobile-first and API-first architectures. Would love to see this on the roadmap!