@Jain yeah, but at this point the client api is just a duplicate of the ap api (which is made for client<>server too, not only server<>server)

the client api is used to render the same info available from the ap api, just that many servers have auth_fetch on the ap one, and no auth on the client one, with just makes the auth in the ap one kinda useless for stopping malicious actors

and if you put auth on both... why have two apis?