> But there is absolutely nothing about calling an API that fundamentally requires that the caller know a secret.

There is if you pay for API access, surely?