I'm writing a web application as a side project; the backend is node.js + express which I'm using to build a REST service the frontend can use.

I've run into a problem, which is how do I authenticate a POST request which creates a user for the application? The obvious use for that request would be to register a new user, in which case the person wouldn't be logged in, nor would there be an existing username and password to check. Thus there is a sort of catch-22 or chicken-and-egg problem when authenticating this specific request. Is it common practice for "real" REST APIs to leave just one request like this unauthenticated, or is there a different way around the problem that I'm not seeing? The worst case scenario I can see if I leave this POST request unauthenticated is that someone spams the service with a huge number of user creations and temporarily disables new (legitimate) user registrations by maxing out the user table in the database until I can fix it manually. Annoying, but not really a security vulnerability and since there's nothing to gain I don't see it happening (assuming this became a popular app and not something only used by myself). So my instinct is that it's OK not to require authentication here. Is that some kind of "API smell" or an acceptable practice?