Token Auth is not needed!
Invalid token auth is also accepted!
And the visits show up in both above cases on the dashboard, under Dashboart/ visits log !!!
Apparently this is expected behavior (comment received on Github)
As I only plan to use the HTTP API (since I want to have total control on the way certain things are logged), I will implement htaccess level protection and include those details in my call to the http api
The thing is that when your tracking code is client side, a “spammer” will always be able to flood your Matomo server. He just has to copy the URL sent to your Matomo server and change a few params.
Then even if you used a tokent_auth, he could use it for the spamming, this could not protect you at all…