Regarding the bots: since you're building a privacy-first product, you should look into a Proof-of-Work captcha (like Hashcash or mCaptcha). Just have the user's browser mine hashes for a couple of seconds before issuing the trial token. A normal human won't even notice it, but it'll burn so many CPU cycles for bot farms that abusing your API becomes economically unviable