The only path that needs to be publicly accessible for event ingestion is ^/api/\d+/store/$ . Everything else can be blocked from public access. This endpoint is used to accept events only, with no read access, and is safe to expose.
1 Like