PHP 7.4 & latest version of on premise Matomo 4.x
Token Auth is not needed!
Invalid token auth is also accepted!
And the visits show up in both above cases on the dashboard, under Dashboart/ visits log !!!
Is this intended? If so, then this is flabbergasting. Anyone can flood my dashboard! And the URL isn’t hard to guess …they simply have to look at the javascript requests and figure out what’s the URL to matomo.php and flood my dashboard 
I can provide logs on request
Apparently this is expected behavior (comment received on Github)
As I only plan to use the HTTP API (since I want to have total control on the way certain things are logged), I will implement htaccess level protection and include those details in my call to the http api
p.s. one can use Guzzle and send asynch requests without waiting for a response. So this will be faster, and almost zero chance of users flooding the matomo code directly, and also no chance of javascript injection or the cookie tampering on the client side
Hi @vmds7777
The thing is that when your tracking code is client side, a “spammer” will always be able to flood your Matomo server. He just has to copy the URL sent to your Matomo server and change a few params.
Then even if you used a tokent_auth, he could use it for the spamming, this could not protect you at all…