I'm not sure of the best practice or how to get around this. I have an API which requires an access token. This token is provided via oauth when a user logs in. How do I protect the API but allow a new user to create an account when, obviously, they haven't/can't receive an access token.
The API should not be requiring a token for a registration call. Registration and Login calls are the entry point for the rest of the API and cannot possibly require a token.