The fundamental difference between the POST and PUT methods is
highlighted by the different intent for the enclosed representation.
The target resource in a POST request is intended to handle the
enclosed representation according to the resource's own semantics,
whereas the enclosed representation in a PUT request is defined as
replacing the state of the target resource. Hence, the intent of PUT
is idempotent and visible to intermediaries, even though the exact
effect is only known by the origin server.
Therefore it would be perfectly valid to "create" a resource with both PUT and POST methods as well as "update" another one with, also, PUT and POST. It is actually even clearly stated with a few examples in the RFC. For instance in POST definition: Appending data to a resource's existing representation(s).
I used to defined PUT and POST requests according their characteristics: the first one is idempotent, the second is not ... but could be.
Therefore, in my understanding, it is perfectly valid to perform an "upsert" (insert or update) to a resource which doesn't exist yet but for which you already know the URL, it is indeed idempotent. For instance: PUT /resources/xyz
A last piece of evidence is the first line of PUT section in RFC 7231: The PUT method requests that the state of the target resource be
created or replaced with the state defined by the representation
enclosed in the request message payload.
I hope it helps to clarify a little bit the topic. 1. Idea + POC (solved technical issues) => Done
2. Build a MVP => Done
3. Get some feedback and see if there is any interest. => Here we are!
4. Based on feedback, add (premium) features but keep the basic service for free.
So in summary; yes it will stay free, I might add some "acceptable" limitations but the goal is indeed to propose additional (non-free) features like well-known services (for instance Gitlab). "An encoder might also choose not to index values for header fields that are considered to be highly valuable or sensitive to recovery, such as the Cookie or Authorization header fields."
In the following Stackoverflow thread (https://stackoverflow.com/a/60941643) I described a way to store a JWT in Cookies while keeping convenient to use payload from the Javascript stack (for instance to display the user name).
This is achieved by splitting the JWT in 3 parts (header, payload and signature) and storing it into 3 different Cookies which have different properties. The _header_ and _payload_ would be accessible from the web application while the _signature_ is configured with HttpOnly and therefore unaccessible from the web app. The inconvenient of this method is that you have to reconstruct/concat the 3 parts server side.
Disclaimer: it's actually an experiment which has for purpose to get the better of both world and it has not been tested from security standpoint.