That’s exactly why I asked.
In your case, then, I would recommend writing a user registration page into your app that calls /rest/system/user to create a DreamFactory user like the example from the documentation page I linked above:
POST https://api.mydomain.com/rest/system/user?send_invite=true
POSTed data:
{
"record": [
{
"email": "user@domain.com",
"first_name": "User",
"last_name": "Name",
"display_name": "User Name",
"phone": "6785555555",
"is_active": false,
"is_sys_admin": false
}
]
}
With send_invite=true in the URI, no initial password value provided, and "is_active": false in the POSTed JSON, the user will be sent an invitation email according to the email service and templates you have set up in Config for this purpose:
From: App Name
<api@mydomain.com>
Date: Wed, 01 Jul 2015 12:53:19 -0400
Subject: Invitation to App Name
To: user@domain.com
Hi User,
You have been invited to App Name. Go to the following url, enter the code below, and set your password to confirm your account.
Confirmation Code: d820e0ee2b5f33c779f4b3c9da24575f
Thanks,
App Name
If this added step of user self-confirmation is insufficient for your security needs, then I suppose your best bet would be to write a server-side script to intercept the registration POST and verify a shared secret before allowing the POST to continue by calling platform.api.post("system/user",*{payload here}*); from within the script.