I intend it as server to server but you made me think about this specific case. I might have found a solution that bypass and solve the problem you are referring to but I need to deeply think about it. Not only needs to be secured the API Key (which is solved by the solution I have in mind), but also the content/payload of the request (otherwise the client would change the amount of credits).