App ID and Rest API Key are exposed on email(upon registration, reset password)

When a user registers(with registration and email confirmation enabled), he’ll receive the following link:{app_id}/{rest_api_key}/users/confirmation/{user_object_id}

Isn’t this dangerous? Considering that all permissions, on default, are allowed for the rest user? One user may use the app id and rest key to bulk delete a table, if he predicted a table name, easily since the app id and rest key are exposed.

PS: He doesn’t even need to guess a table name. I tried the following and all the data are deleted from the users table:
curl -X DELETE ‘{app_id from email}/{rest_key from email}/data/bulk/Users’


API key is not secret. Data should protected by configurating the permissions.

Regards, Olga

Thank you for replying. Yes, that is one way, but currently I’m using the rest api user to delete some data, which means I should leave the permission to ON. Do you have any suggestions regarding this?

You can create the user named “admin” and give him the permission to delete data if he is logged in.

Regards, Olga