Yup. 500 errors are "the server is broken" (aka the server fails to fulfil the request), 400 errors are "the client did something it should not", including every case of "the client did something the server took issue with for whatever reason".
In fact RFC 6585 added "429 Too Many Requests" specifically for rate-limiting scenarios.
413 (payload too large), 414 (URI too long) or 431 (header fields too large) are likewise things which may technically be valid according to the HTTP spec in general, but which the server rejects.
In fact RFC 6585 added "429 Too Many Requests" specifically for rate-limiting scenarios.
413 (payload too large), 414 (URI too long) or 431 (header fields too large) are likewise things which may technically be valid according to the HTTP spec in general, but which the server rejects.