If we take “unlimited unauthenticated API access shouldn’t be possible” for granted, I’m unfortunately not all that technically competent about what can be done next.
The first thing that comes to mind is treating website access and app access differently, maybe limiting app API access by default for people who haven’t logged in.
Or creating a separate bot API that’s rolled out across all servers at some point in the future… And I know federation could pose some serious chokepoints here so that’s where my speculation ends.
If we take “unlimited unauthenticated API access shouldn’t be possible” for granted, I’m unfortunately not all that technically competent about what can be done next.
The first thing that comes to mind is treating website access and app access differently, maybe limiting app API access by default for people who haven’t logged in.
Or creating a separate bot API that’s rolled out across all servers at some point in the future… And I know federation could pose some serious chokepoints here so that’s where my speculation ends.