The only path that needs to be publicly accessible for event ingestion is ^/api/\d+/store/$.
Everything else can be blocked from public access. This endpoint is used to accept events only, with no read access, and is safe to expose.
3 Likes