Would love to see it. Whether tokens or API keys, I'm always interested in how folks recommend securing them.

There's also some interesting stuff around token binding happening. DPoP is moving towards becoming a standard: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop-...