I was looking at creating draft orders via API but there is a problem. *Anyone* who gets the link can change all the customer information on the invoice. If I've created the invoice for a specific customer, it makes no sense to allow those fields to be edited. If you're using the API (like I am ) then there is presumably automation going on and it's poor design to permit arbitrary editing of the data with no authentication.
I'm trying to create special offers for specific customers. Maybe nobody would bother to cheat the system but why is it even open? It seems like it would be trivial to lock the customer data or allow that as an option.