clarkwinkelmann Let me try to explain what I'm doing. I created an API, and when this API is used (it can't be accessed directly via URL), it detects the user's real IP address using the code I shared earlier and associates it with the user who used the API in the database.
After that, the API can never be used again with the same IP address. To clarify further, this API is used by guests, and a user account is created on their behalf. Once they log out and try to use the API again, it won’t be allowed.
Of course, this can easily be bypassed with a VPN or proxy. I should also mention that solving a CAPTCHA is required to use the API.
I know it’s impossible to make an API completely secure when it’s open to visitors, but I’m trying to minimize spam as much as possible.
Besides IP matching, additional security measures like fingerprinting, cookies, or sessions could be added, but I’m not planning to include those for now.
From what you said, it sounds like using the code this way is reasonable. Thank you for your response and help. I’d also be happy to hear any other suggestions you might have!