Regarding the bots: since you're building a privacy-first product, you should look into a Proof-of-Work captcha (like Hashcash or mCaptcha). Just have the user's browser mine hashes for a couple of seconds before issuing the trial token. A normal human won't even notice it, but it'll burn so many CPU cycles for bot farms that abusing your API becomes economically unviable

▲

BrunoBernardino 3 days ago | parent [-]

Thanks for the suggestion, I’ll look into it!

	▲	pona-a 2 hours ago \| parent [-]
		As someone interested in cryptography, I'd also recommend a VDF. A Wesolowski VDF isn't that hard to hand-roll [0] [1] and will make parallel attacks much harder while penalizing low-power devices less. [0] https://reading.supply/@whyrusleeping/a-vdf-explainer-5S6Ect [1] https://eprint.iacr.org/2018/623