I’m testing out the Management API for user signup process and I’ve observed two disturbing issues about it. First, even if I don’t specify
client_id parameter, it still works and a new user is created. This seems to be opposed to what’s stated in the docs (https://auth0.com/docs/api/authentication#signup), where
client_id is marked as required. Is it the expected behaviour?
Secondly, I’m a bit worried about the fact that this API can be simply called by anyone in a bulk, as it’s not secured by any authentication. This means, that in theory anyone can spam our user DB (e.g. via curl). My question - do you block such suspicious bulk API requests, like by some throttling or other mechanisms?