Security on API login

I’m looking for a solution for adding security to my login REST API which allows mobile users to loggin in the app.
Basically I have an API allowing the user sent credentials and returning a token as result for keeping the session.
The problem is when someone uses that API to try by brute force different emails and passwords until they get a valid user.
Is there any way to avoid this? reCaptcha is a solution in web sites but I did not see it on mobile apps.
Slowing down connections on failed attempts is ok (as well as exponential increment of delays) but this is only usefull if the attack is pointing to one specific account. Also the blocking IPs can be blocked but easily change by the attacker or any other pathern recognition on requests as agent.
Did anyone work on this kind of problems?

Did you found any solutions for this ??