I assume that's the key used by the app. So if they kill that key, they also kill all existing applications.
That's the thing with this kind of "protection". If your proprietary app needs to access the server, anybody who can either extract the key from the app with reverse engineering or who can listen in on the communication between app and server will be able to use that API.
It's the same issue as with DVD encryption: If you need to show the movie to people, people need to be able to decrypt it. If this needs to happen offline, then the material needed for decryption must be static and either be on the disk on in the player - where it can be extracted and used by third parties.
I don't know anything about these bikes; but what is one supposed to do once they retrieve their keys? Does the app/bike provide an alternative method of presenting the key? Are keys rotated, so they need to be downloaded more than once (I assume that's that's the case since this code is intended to be run as a service, in a Docker container)? If so, what happens when their servers do shut down and there is no API?
Are people like the creator of this tool hoping for a future option to make use of the keys, and they're just being backed up for a rainy day at this point?
The keys in this case are used for bluetooth comms locally between somebody's device and their bike.
These are ordinarily used by the VanMoof app to unlock the bike and control the bike's settings.
There are already some third-party apps (Moofer, Mooovy) to allow alternate access to those settings – including some hidden ones.
With a few tweaks those third-party apps should be able to support direct key upload, rather than having to log in and proxy authentication through to VanMoof's API.
That's the thing with this kind of "protection". If your proprietary app needs to access the server, anybody who can either extract the key from the app with reverse engineering or who can listen in on the communication between app and server will be able to use that API.
It's the same issue as with DVD encryption: If you need to show the movie to people, people need to be able to decrypt it. If this needs to happen offline, then the material needed for decryption must be static and either be on the disk on in the player - where it can be extracted and used by third parties.