Hi, I’m reading through the API documentation, focusing on the tracking code API, and have a few questions regarding security.
The HTTP Tracking API page mentions the endpoint is not rate limited and unsecured. If I were a malicious player, what would stop me from bruteforcing the HubID or the EventID? The documents mention that a string can be passed in EventID and the system will automatically create the event. Isn’t that prone to abuse? At the very least, it could skew our metrics.
Also, the contact email address parameter exhibits the same behaviour. If someone spams this endpoint with multiple emails, wouldn’t those emails be registered as new contacts? Also, wouldn’t that affect the user’s billing?
Thanks for the suport.