The standard OTK endpoints like /authorize, /consent, and /token are read-only. How do you add rate limits to these endpoints?
These policies in 4.1 (and up to the latest, 4.3) should not be read-only just yet. There is a warning in the policy that they will be read-only in the future, however should have the ability to edit this at the present time. Please let me know if this is not the case and what error you get when trying to save them.
All the OTK endpoint services in OTK4.1 are not read-only. They are modifiable.
Assuming that you are running API Gateway 9.2 with OTK 4.1, here is the full documentation on the Apply Rate Limit Assertion. As stated, all OTK endpoint services are modifiable and you can add this assertion to the policy. However, services are overwritten during an upgrade. If you have customized a service, make a copy to save your customizations, upgrade, then copy your customizations into the newly upgraded service. Also be aware that OAuth 1.0 support was dropped in OTK 4.2. Hope that helps.