Yes, an API key and bearer token are both required for our public instance. However, organizations deploying our product on an enterprise platform can make the API key requirement optional by changing the server configuration. Note that this will reduce the level of traceability as the API key is used for identifying the application making a call.
I tried just sending the bearer token but didn’t have success. Outside of potentially setting scopes on the API key, it doesn’t seem like there’s any added security when the API key has the power to authorize as any identity using `/authorizealias`
The API keys are necessary in order to ensure secure authorization and authentication. Even though the API key has the power to authorize as any identity, setting scopes on the API key will provide added security by restricting the access of the bearer token to specific resources.