Each API call must contain a HMAC SHA256 signature which is generated based on the path, URL parameters, and payload, signed with the API key and secret. This signature is validated for every API call. Additionally, API calls are rate limited based on the resource type.