It looks like you're new here. If you want to get involved, click one of these buttons!
According to the document http://sendy.co/api, anyone can call subscribe and unsubscribe api without no restriction. People who knows the installation url, which can be any subscribers because there are so many hint in the mail, it is possible to hit the api and add any email address to the server.
I think it should be protected by default and warned to the Sendy users more.
The subscribe API and subscribe form HTML code does basically the same thing, just in a different way.
For example, when you have a subscribe form on your website, anyone can subscribe to it as well.
So it's just a redundant additional step to pass in your API key when using the API. Moreoever, you need to know what is the encrypted list ID in order to subscribe to any list.
The rest of the API does requires an API key.