I'm using elgg 2.3.14 currenty and I have a plugin that uses a third-party authenticator (Auth0) to login to my site.  I currently register the auth0 user in the background once I have their credentials making a call like:

forward('register?name='.$name.'&email='.$email.'&authId='.$ authId.'&username='.$username);

where I have pulled the users creds from my auth0 object.  My question is, how can I prevent outsiders from hitting the register action?  I can see that it's listed as a public action when I view all of the actions from the administration page, how would I change that setting?  I currently get lots of fake registrations because that is a public action and I can't block.  I know setting the verify email to 'on' would at least make the users unvalidated, but I don't want to force email verification in order to register.