I'm currently in the same boat although my use case is a bit different as the accounts would need some manual approval, but still I don't want to have it easy to figure out the public endpoint.
I've though of, like you suggested, moving this to express and do the call from there. That should be the simplest way to hide some implementation details and hide the endpoint.
Of course there won't be a full proof (recaptcha might be a bit too much)
As mentioned I can't also find any documentation on this, seems like it should be a more usual problem
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
I'm currently in the same boat although my use case is a bit different as the accounts would need some manual approval, but still I don't want to have it easy to figure out the public endpoint.
I've though of, like you suggested, moving this to express and do the call from there. That should be the simplest way to hide some implementation details and hide the endpoint.
Of course there won't be a full proof (recaptcha might be a bit too much)
As mentioned I can't also find any documentation on this, seems like it should be a more usual problem