Isn’t the Client-ID meaningless if its public? People could hijack somebody elses Client-ID and get it banned, no?
I guess @hlcws meant that anybody could use any valid clientID in his hands to make api calls with this clientID in header, lets say an Android app runs without any authentication some api calls clientsided with an 3rd party clientID in header.
this 3rd party clientID can not be protected from this kind of abuse, and i guerss thats what @hlcws is pointing at.