I want to give users the option to set their display name once and only once. Maybe we might process name change requests in the future, or offer it as a premium service, but the point is I don't want users to be able to update their own display names at will.
I'm looking at the UpdateUserTitleDisplayName API call:
It looks like this is in the Client API. If I use this, it seems like someone theoretically could just make an HTTP POST request and change their username.
How can I prevent this? I want to use either the Username or Title Display Name, rather than just a read-only field, so that I can search for players based on these identifiers. (via GetAccountInfo and such).