When considering non public API and applying a OAuth authentication policy, the application identifier must be provided using the api_key as a header?

If so, does not it means that the user authorized client and the actual api consumer application have no strict relationship?


Thanks
Michele