[fraromeo]

Very interesting point. Thanks for bringing this up.

Couple of questions: shouldn't my customers be taking care of this since I don't know their architecture? I think mobile devs can hugely benefit from Creduse, can you point me on how to support them for this scenario?

open to discuss via email if you prefer: francesco@creduse.com

[lwansbrough]

If you’re intending for your API to be server to server then it’s not an issue. But that may limit uptake from mobile devs who may be looking for a more plug and play solution to dodge the need to build their own infra.

[fraromeo]

I intend it as server to server but you made me think about this specific case. I might have found a solution that bypass and solve the problem you are referring to but I need to deeply think about it. Not only needs to be secured the API Key (which is solved by the solution I have in mind), but also the content/payload of the request (otherwise the client would change the amount of credits).