Support

These are not "brute force" attacks by any stretch of the imagination.  They are not even trying to guess your API token. Even if they did, the search space I used when I wrote this Joomla feature is so big that it would take them several trillion years. That's orders of magnitude longer than the age of the known Universe! It's more likely the Universe will experience heat death before they guess the correct token…

The bots that you see accessing your API are not consuming as many resources as you think. The "regular" 403 Not Allowed and 404 Not Found HTML error pages on your site's frontend consume 1000 to 10000 times more resources. I don't see you worrying about them because a. you receive no email about them and b. you have long since internalized they are expected, a fact of life.

What I am telling you is that the NotAcceptable responses from the API are just like the 404 and 403 responses of your site's frontend. They are expected. They are a fact of life. There's no reason to worry about them, and trying to do something about them will be either a colossal waste of your time and money, or it will only make things worse for your legitimate API use cases.

If you are somehow getting several dozens of thousands of these requests per day –at which point it does start making a difference to your server's performance– you can of course start blocking IPs manually, or use custom .htaccess code, or use a service like CloudFlare to rate-limit IPs which cause HTTP 4xx responses from /api/* URLs beyond a certain threshold (note that this is only possible in CloudFlare's paid tier, so you're talking about $20 / month). It's just like if you're getting tens of thousands of 404 and 403 responses in the frontend of the site. Which is to say, yeah, in theory you could do something, but in practice I have yet to see a site where these error responses are a palpable, actionable problem. Considering I've been making sites since 1998 I guess that's one way to say it's so extremely unlikely you need to do anything that it doesn't make sense even mentioning. But still, you asked, so you get a reply.

In any case, the only "problem" I see here is that you received an email which reads "Exception". Exceptions are not bad, despite the scary word used. They are the standard way to stop processing a request and handle graceful termination of the application among other things (dozens of exceptions are thrown and caught internally in the core and third party code in every request; exceptions is one of the foundational pillars of modern software development, for "the past 75 years" values of "modern"). When Joomla encounters a 403 or 404 error in the frontend it raises an exception there too, we just don't report it by email because it's obviously futile doing so. We misjudged people's response on the even less important NotAcceptable exception. So, starting with the next version of Admin Tools we will no longer be reporting this kind of exception either.

If you are really getting thousands upon thousands of requests, well, you belong in that exceedingly rare category I mentioned. You'll have to put CloudFlare or something similar –I think BunnyCDN just launched a similar solution– in front of your site. Unless, of course, you always see the same source IP addresses, in which case you can block those IP address blocks.