Why do web APIs tend to use pre-shared keys for client auth instead of pubkeys?(crypto.stackexchange.com)
crypto.stackexchange.com
Why do web APIs tend to use pre-shared keys for client auth instead of pubkeys?
https://crypto.stackexchange.com/questions/101827/why-do-web-services-tend-to-use-preshared-secret-keys-for-client-authentication
For APIs focused on server based apps, this should work as well as anything else.
It's not possible to duplicate an IP --- the communication gets broken. If the server gets compromised --- well, any pre-shared keys are likewise compromised so the result is the same.
There are a few services that support this but not very many.