Common sense for anyone not an idiot? The moment you expose any API externally you always run a risk of whatever level that it is abused, possibly by a mistake you made. WORST case is that you deploy access tokens to a third party provider - which can be hacked. Logic. Try it.