felineunion.org

API security was designed for a world where secrets leaked occasionally. We now live in a world where agents harvest and test them continuously at scale. In that environment, 'keep the key safe' is not a control model. It is wishful thinking. Keys should have been origin-bound by default, so a stolen credential would not automatically become a usable credential.