It’s been years but I thought I recalled having to use the key but then also setting what sites it’d work on.
If an attacker can figure out what sites it can be used on, they can use the API.
alt Hacker News
If an attacker can figure out what sites it can be used on, they can use the API.