I have found that type checking for `api_key` is insufficient in rubygems.org's source code. https://github.com/rubygems/rubygems.org/blob/master/app/controllers/application_controller.rb#L63 ```ruby def authenticate_with_api_key api_key = request.headers["Authorization"] || params[:api_key] …