PDS hosters: folks should not have PDS_INVITE_REQUIRED=false in their config unless they know what they are doing.
at a minimum you need CAPTCHAs on all signup routes, to block/disable the createAccount API flow, etc.
we know this should be smoother.