Hehe, no problem! There are a lot of parts here and it’s tough to make sure everything’s watertight, so to speak.
With regards to domain restrictions, there is something called CORS that would come in handy. We could in theory have our API server return a header that says that only codacms-js-demo.zettl.io is allowed to make requests using that token. But note that this is merely a header respected by popular browsers like Chrome – it wouldn’t stop someone from using that token outside of a browser, such as in their own Python or shell script or other environment that doesn’t respect web headers.
The 1000 requests/minute is something we set up on our end to help prevent someone accidentally overloading our servers with a ton of requests, i.e., writing a script that makes hundreds of requests a second. But again, if you (or anyone else) is thinking of taking the API further, we’re happy to evaluate requests to raise that limit for your account.