An engineering team turned to ChatGPT for a quick fix to a surging API traffic problem. The model spat out a 50‑line Flask rate limiter that looked clean and passed a brief review. After a few days the code ran fine, but as the service scaled to twelve instances the limiter began to crumble, forcing 14 hours of debugging and a near‑outage.

Five hidden defects emerged. An in‑memory rate_limit_store grew without bounds, creating a memory leak. Restarting the service wiped the store, letting users bypass limits.

Each server kept its own counter, so the effective limit multiplied twelvefold. The routine used request.remote_addr, which only returned the load balancer’s address, misidentifying every client. Finally, no logs or metrics meant operators could not tell whether limits were being hit.

The team rewrote the component with Redis for shared state, added TTL cleanup, extracted the real client IP from the X‑Forwarded‑For header, introduced tiered limits, and instrumented structured logging. The episode underscores that AI‑generated snippets may compile, yet they often ignore production realities such as scaling, observability, and infrastructure nuances.