Support Suspicious IP/ Client Throttling for M2M Access Token Requests

[anichrelay-bloom]

Hi!
I am trying to throttle access token requests if some malicious third party is continuously hitting the token endpoint with bad credentials. Is it possible to configure client based/ IP based throttling for oauth2/token endpoint? It does not look like this is directly supported by Ory platform. Can it be configured using something like before login webhook but for M2M clients?

I am currently using the hydra oauth2 token hook for setting custom claims and this webhook is only called if the client credentials in the token request are valid. Ory does not call the token hook endpoint in case of invalid credentials so it does not give me the control to set any limitations on how to handle suspicious behavior.

Is it possible to implement a new hook configuration under the oauth2 field of Hydra configuration or update the current schema to support a before hook for M2M grants?