Missing captcha - feature being abused. Let's fight bots.

When people change their name, it can be taken 37 days after and since this information is public, people and bots try to "snip" the names. You are probably well aware of this activity but something you are probably less aware of is the missing captcha that allows some people to make bots and spam the API to make money.

The way the "bot method" works is by reserving username using the following endpoint with a PUT request (actually, thousands of them) and then the username is locked and only the bot who locked it first can use it on their account.

PUT https://api.mojang.com/user/profile/agent/minecraft/name/<wanted_username>

This feature was initially made to reserve a username when redeeming a gift code and that's completely fine BUT a captcha should be added to this request. In the past, a captcha was already added to the change name request, why not this one?

For example, the website https://chearful.ninja/ is selling "snips" and abuse this method hundreds of times a week. This shady business makes a lot and breaks the TOS by selling accounts as well (https://chearful.ninja/accounts/).

Another way of blocking these bots would be to rate limit the requests per token and not only per IP.

 
Edit: This issue was initially posted as private but nothing is happening so I open it.