Realistically, federation is not the main concern. You can leave all your API endpoints open to bots and not have a problem because they are loading the web app. Just block the web app for suspicious traffic.
ActivityPub already uses authentication to some extent with other instances, it’s the first contact where you have to have trust.
My main concern is still that media is loaded directly from users in most cases, the APIs are not a problem right now as the bots aren’t specifically targeting Lemmy. There are ways to address this but Lemmy (and other threadiverse services) don’t have full time dev teams, they work on what they can or want to work on given the very low hourly rate.
Realistically, federation is not the main concern. You can leave all your API endpoints open to bots and not have a problem because they are loading the web app. Just block the web app for suspicious traffic.
ActivityPub already uses authentication to some extent with other instances, it’s the first contact where you have to have trust.
My main concern is still that media is loaded directly from users in most cases, the APIs are not a problem right now as the bots aren’t specifically targeting Lemmy. There are ways to address this but Lemmy (and other threadiverse services) don’t have full time dev teams, they work on what they can or want to work on given the very low hourly rate.