Daxia [ FastAPI ] Add rate limiting to API key auth

[daxia778]

Summary

• Add APIKeyWithRateLimit as an opt-in APIKeyHeader extension.
• Parse limits like 100/minute and track per-key sliding-window usage with a lock.
• Return 429 with Retry-After when a key exceeds its window.
• Support deprecated_keys that still authenticate and add a Warning response header.
• Preserve existing APIKeyHeader behavior and export the new helper from fastapi.security.

Demo video

https://github.com/daxia778/Bounty-Hunters/releases/download/issue-768-demo-66560e13/fastapi-api-key-rate-limit-768-demo-66560e13.mp4

Validation

• uv run pytest tests/test_security_api_key_rate_limit.py -q
• uv run pytest tests/test_security_api_key_header.py tests/test_security_api_key_header_optional.py -q
• uv run pytest tests/test_security_api_key*.py -q
• uv run ruff check fastapi/security/api_key.py fastapi/security/init.py tests/test_security_api_key_rate_limit.py
• uv run ruff format --check fastapi/security/api_key.py fastapi/security/init.py tests/test_security_api_key_rate_limit.py
• python3 -m json.tool fastapi/security/.audit.json
• git diff --check

/claim #768

[daxia778]

/claim #768

[daxia778]

Added the short demo video requested by the bounty guidelines to the PR body:

https://github.com/daxia778/Bounty-Hunters/releases/download/issue-768-demo-66560e13/fastapi-api-key-rate-limit-768-demo-66560e13.mp4

The demo shows the focused rate-limit test run passing without exposing secrets or private environment data.

[github-actions]

Unfortunately the changes in this PR didn't fully resolve the issue. Please rework your solution and submit a new pull request.

Make sure to review the acceptance criteria in the linked issue and verify all conditions are met before resubmitting. See CONTRIBUTING.md for guidelines.