I suggest maybe finding a way to secure APIs. One API could be leaked and people could steal funds.
Currently, both the user token and API key (which is handed out to developers on an as-needed basis) are required before using the API.
Also, users must physically have API access enabled in their account - if they're not using the API they should keep it off.