An expiry time should be required and not optional, or a default one well specified (e.g. 30 days). The endpoint shouldn't have to keep reporting that "something has happened" to agents forever.

Maybe ...

- When the expiry time is passed, any queries to the endpoint are invalid and shouldn't be performed. If they're performed anyway, the endpoint may simply not respond if it's feeling rude, or it can respond with 410 Gone or something like that if it's feeling nice.

Also what if the agent has registered more endpoints than the endpoint can handle. 429 Too Many Requests seems appropriate.

Also the agent should be required to confirm with the user or otherwise warn if the "happened" URL is not in the original domain of the request.