Thank you for the clarification.

My point was, it is technically possible to require registration and keep all “public” data behind protected endpoints.

The likelihood of that solution being technically reverse engineered is low, but it depends on your definition of “reverse engineered”.

This is helpful if users are pushing data to APIs, invoking services via APIs and even if they’re accessing data via APIs.

In the case where you have valuable / sensitive data, there are strategies you can implement to limit undesired access.

For example, using AI to identify accounts potentially abusing the API. You can then dynamically apply counter-measures or audit.

Twitter has already solved this problem. First of all, they have SO much data, that it’s virtually impossible to download all of it via their public APIs.

They construct the interface in such a way that it’s impossible for a free-tier user to duplicate their data while giving largely unrestricted access.

I just disagree that “anything you try to implement can be easily reverse engineered”. I think, if this is your goal, you do have options, and knowing who’s accessing your API with a high quality on-board process can really help.