Unfortunately there is no silver bullet here -- all analytics services have this problem too (Google Analytics, Mixpanel, etc.).

Our best practices for mitigating this problem:

Access tokens
Use a separate client-side token with post_client_item scope only. (This is the default post_client_item token.) The client-side access token can only be used to send events and only from client-side platforms. It can't be used to read any data, and it can't be used to spoof server-side events.

Tokens can be disabled and replaced at any time. If someone is abusing your token, you can disable it and use a new one instead.

IP Blacklist
We also provide an IP Blacklist so that you can blacklist specific malicious IPs. You can find the source IPs in the Rollbar interface, and then add those IP(s) to the blacklist. (Project -> Settings -> IP Blacklist)

Did this answer your question?