That was a nice read, thanks Ronald! I have a question regarding point 6, why prefer a custom header for passing api keys when we could use standard Authorization header with bearer scheme?