The Shared Key is a key that lets you revoke tokens of a single OAuth session wi...
The Shared Key is a key that lets you revoke tokens of a single OAuth session without deleting all the others. The key was hardcoded into a single, pre-seeded client called 'creator-cli' The key is a unique, unique, scoped, unique client named 'creator' Every browser session, every CLI login, every AI agent — they all shared this one `client_id'
Start with a quote-only recipe. Payment signing stays in your project.
const response = await fetch("https://codex.everygoodwork.io/0x1C1Ee78b938Af5333D3a99BF659e9aa771d8A8D5/the-shared-key-how-one-oauth-client-id-nearly-made-revocation-impossible", {
method: "GET",
});
console.log(response.status);
console.log(Object.fromEntries(response.headers));
console.log((await response.text()).slice(0, 1000));
// A valid 402 is a quote, not a completed paid call.This sends no payment. Inspect the 402 response before adding a wallet-enabled client.
- Exact route checked
non 402
- Origin reachable
HEAD https://codex.everygoodwork.io/ returned 200.
- Observed in 402-index
Discovered through bazaar.
- Registry record checked
Registry health: degraded.
EVIDENCE
Each record has an exact-route quote outcome. Unresolved templates and potentially mutating methods are labeled instead of being invoked without provider-specific test input. A quote is still separate from a settled paid call.