A good write up of a discovery process. Someone online will be probing your private API looking for auth bypasses. You will learn something reading this post.

Note, I would not have gone so far myself; some of these actions could be considered unauthorized access and will generate commercial and state negative attention. Always get approval and authorization before attempting to probe systems for vulnerabilities.