Allow me to take a step back and explain how Event upload system works on CleverTap. Each account has a Unique Account ID which is used to raise Events for your Users through your different platforms. We add another layer of authentication for the APIs, via the Passcode which is unique to each account This Passcode is a mandatory field to download and upload Events via API. The SDKs have token as a mandatory field to raise Events on user-based actions on your App. The Passcode has an added layer which can be reset by the Account Admin at any given point to maintain security for your account.
The suggestion of nonce is a great one, but it has its own drawbacks as well. A nonce is typically used to authenticate a login or at a place where the slower reactiveness from the server is acceptable. In our situation, if the authentication happens the first time, the possibility of running the script can still be there. Moreover, the scale at which we accept data and send out Engagement in real time, application of a nonce will slow down the ingestion and also engagement based of live Events.
I understand your concern here, but this is a scenario which is faced by all platforms in the industry and is not something that can entirely be taken care off. This being said, I will take this as a feedback to our Product team.