This api isn’t meant as an alternative to server-sided protection. It just makes it way harder to make exploits.