Registering a user doesnt work with default settings (plus note you need to have a captcha code which I have only been able to get from the website)

HTTP response headers: HTTPHeaderDict({'Date': 'Fri, 16 May 2025 21:01:37 GMT', 'Content-Type': 'application/json', 'Content-Length': '202', 'Connection': 'keep-alive', 'Vary': 'Accept-Encoding', 'cache-control': 'private, no-cache', 'pragma': 'no-cache', 'Server': 'cloudflare', 'CF-RAY': '940dcfb3abbe4547-AMS'})
HTTP response body: {"error":{"message":"account sign-ups are not allowed on this domain. if you believe to have gotten this message in error, please contact support at help.vrchat.com","status_code":403,"waf_code":15028}}

Should we keep this endpoint in the spec?

resendemail is auth/user/resendemail instead of auth/resendemail, and right now has to take in an empty object ({}) in python, can't we just not give a body for this endpoint?

/auth/twofactorauth/totp/pending

has a post and a delete endpoint, delete cancels a pending totp request

rest of the PR looks good and is verified to work

Marked POST /auth/register as deprecated and set description to warning about absence of legitimate uses for the endpoint, do you think that would be an appropriate compromise?
I am partial to documenting but deprecating etc.; malicious actors would figure out the endpoint regardless of if it's documented, innocent actors would simply better understand the API and move on