We should log the start and stop of all requests. Probably a request ID, endpoint, method, and payload for the start log, and then a request ID, status code, response body, and duration for the end log.

And some auth, cookie info, and rate limit info to debug login issues. It would be convenient to see something like "returning a 401 because the cookie did not match the value stored in password" or "request has been rate limited" or whatever the case may be.

Additionally, a configuration knob for the rate limit would be useful for debugging (perhaps just a disable toggle).