On my web server, all API requests made related-to and before authentication are subject to an exponential timeout.
For example, after a user unsuccessfully logs in a few times, the delay before the server will accept a request will go from 2 to 4, 8, 16 seconds and so on.
Any requests made during these delay periods will be immediately rejected by the server with a rety-after header passed.
What HTTP status code should the server return in this case?
I think it should be
429 Too Many Requests