Can auth_requests be abused for flooding?

If an attacker knows our Mender auth URL, they could script thousands of auth_requests and create mass pending devices. Is there a way to prevent or mitigate this kind of flooding without blocking legitimate devices?