Custom API Key for Image transforms - security questions

New user here, hopefully these questions aren’t dumb. I’ve created a custom key to fetch transformed images. It works well, but I have some questions about security.

Under my custom key rule I’ve just put:


I have two questions:

  1. Will that open an attack vector where anyone could run a ton of resize requests with the token and crash my site?
  2. Does that token allow people to do other untoward things to my /api/cockpit/image folder? Like upload nasty things? Or are the custom keys just about allowing read access?

Any insight would be appreciated. Thanks!