@polotek @tillshadeisgone You're right about that. The ideal solution would be if instance API users had to do delegated authentication via OAuth2. Then anyone could build whatever they wanted, but data would only move around with consent. From there you could elaborate to blocklists, sensible defaults, etc.