Can you elaborate a bit more on your second question? Call? As in webRTC?
The first part you could set a cookie/something in storage to check, or you can keep a DB of IP addresses and check/update requests per IP.
Both aren't a great solution as they can easily be navigated around, so I would suggest requiring users to be logged in so you have associated accounts with requests.
The typical way for tracking a user across sessions in a browser is through a cookie, which is automatically sent by the browser on subsequent requests.
However, there is nothing stopping a non-browser client from emulating this process by storing issued cookies themselves and re-sending them on subsequent API requests (cookies are just HTTP headers, after all).
You may be better off approaching this problem from another perspective, and requiring registration with an email address, or authentication with a third-party SSO provider like GMail or Facebook. This means that you still have authentication, but it's harder to "abuse" whatever service you're planning provide given the inherent difficulty in obtaining a new set of unique credentials.