I’m currently implementing the Events API V2, and what I find striking is that the only form of “authentication/authorization” is the routing key. I would expect some kind of authorization header (which is present for the REST API).
In my use case security is of high importance and if someone would make a typo in the routing key I have the feeling that this could potentially end up at an organisation that should have never gotten this alert. Our idea is to have several (~10) routing keys, and a mistake can easily be made.
Am I overlooking something or is this in fact the only form of authentication and authorisation?