How safe is the API when using remote_user_guard?

[BhasherBEL]

I'm using AUTHENTICATION_GUARD=remote_user_guard with Authelia and Traefik, but I would like to be able to take advantage of the API for 3rd party tools, using tokens. To do so, I put everything behind an authelia middleware, except the /api/. How safe is it to do so? Can someone use REMOTE_USER to do something with the API? Is there another, more secure way to solve this? Thank you!

[JC5]

If you exclude the api path, you're safe. What's important to know is that you can only use personal access tokens. REMOTE_USER headers will not work, also not for other people.