There should be auth tokens that go into init that authorize the use of certain userbase functions, but not others for a given app.
for example when calling init() using the js sdk, a client can automatically use the sign up function. however there are cases where clients should not be allowed to use the sign up function.

Hey, we've got thoughts on enabling a webhook that you can route requests through, so you can write your own custom server-side logic to handle cases like this (e.g. only certain users with a special token can have their request to sign up successfully routed to Userbase). A description of the webhook is in #260. Unfortunately we're super low on bandwidth at the moment, so likely won't be implemented in the near future.

The approach of using tokens per-function would add a fair bit of complexity to the SDK, which we've been extremely careful to keep as simple as possible. The webhook would likely be the way we'd offer support for something like this.