@User , from a security point of view, what exactly are the risks in keeping the APIs we provide open? - If we added an API key to call our APIs, an attacker could fetch their own API key to call our API anyway. - If an attacker wants to phish passwords (via the enter new password form), they can create their own app, make their website look like the target website, and send "legit" password reset emails to targeted users anyway. They could even call their app the same name.. So adding an API key wouldn't solve this issue either. The proper way would of course be to send the email via an email ID that uses the @website domain. However, for that, you would need to override the function (we will mention this and the other points in the docs). ------------ So I don't see why we should add an API key as such to the endpoint we provide - am I missing some edge case here?