In my app we create create an anonymous guest account upon install that has limited database access. I’m trying to limit abuse of the guest-account-creation endpoint. I was thinking the endpoint could require the user’s installationId, and then check it against the database so that there could only be one guest account per install. But someone could just make up a fake installationId each time, and I’d have no way of knowing.
So I’m wondering if there’s any way to check whether the installationId is genuine? Or any thoughts on how to distinguish real installs from fake ones?