PHP 7.4 & latest version of on premise Matomo 4.x
Token Auth is not needed!
Invalid token auth is also accepted!
And the visits show up in both above cases on the dashboard, under Dashboart/ visits log !!!
Is this intended? If so, then this is flabbergasting. Anyone can flood my dashboard! And the URL isn’t hard to guess …they simply have to look at the javascript requests and figure out what’s the URL to matomo.php and flood my dashboard 
I can provide logs on request
1 post - 1 participant