The authentication for the API seems poorly designed. The auth token is your email address rather than a real auth token. If I know someone uses this service I can send a massive number of requests to cause a large credit card charge with just their email address. I thought this was just a mistake in the obviously LLM-written home page, but the API really does work this way after testing.

On top of that logging in does not require a password, just an email address.