App ID and Rest API Key are exposed on email(upon registration, reset password)
When a user registers(with registration and email confirmation enabled), he'll receive the following link:
Isn't this dangerous? Considering that all permissions, on default, are allowed for the rest user? One user may use the app id and rest key to bulk delete a table, if he predicted a table name, easily since the app id and rest key are exposed.