My plan is to make a small game with online leaderboards.
Having everything calculated on the server side is an unaffordable task, so I need some other way.
My guess is that the best approach is to
Is this the best I can do in this case?
This solution is quite a lot of work, but still not as much as an authoritative server, and it also provides other benefits: Add a record-and-replay feature to your game.
Now when someone gets an outrageous high score, you can check how exactly they achieved that. This does not just allows you to catch cheaters, it also gives you great data to find out how the players are playing the game, which you can use to improve it. And if you also allow your players to view the replays of the top scorers, then they can learn from that.
It's still not 100% bullet-proof though, because someone could still use a program to generate a fake replay showing a perfect playthrough. But that requires a lot more effort than just sending an INT_MAX value to your API endpoint, because the cheater first needs to figure out how a perfect playthrough actually looks like.
If you're doing the score calculation on the client, there is not much you can do to prevent cheating.
You can and should validate the input sent to the server, for example:
collected_coins <= total_coins_in_game
However, this wont stop them from simply lying that they have the maxiumum amount possible. Running the game logic on the server would protect against this, but you stated this was not an option.
Even installing anti-cheat software on the client won't prevent them from sending false data over the internet. For more details on the topic, you can look at a similar question on the Information Security Stack Exchange.
In the end, if you're going to have a scoreboard for a single-player or fully client-side game, you'll have to accept the fact there is no way to stop a client from cheating if they really want to.
