yea. Their frontend SDK signs each request that is sent, and their gateway verifies that. This prevents replay attacks