There's two places where you can put a little bit of protection here. The URL could be slash UUID out of some insane length right so it's not very guessable. And then this app secret I suspect is like what is the secret you know knock knock what's the magic word sort of thing and there's just one login for it but for the right type of app that's probably good enough. Yeah yeah keeps the honest people honest exactly you want to hack you got to do it for real.