Because token-server is deployed on docker, req.ip is the address of the actual server and the address of the client making an API endpoint request (e.g. for a token reward or a Cashtab reward).
So, right now, the rate limiting "works" -- but it rate limits all users instead of by IP address of individual users. This is causing normal users to get rate limit errors.
Ref https://stackoverflow.com/questions/62494060/express-rate-limit-not-working-when-deployed-to-heroku