I've run across a lot of discussion here that seems to imply that it's OK to distribute an applications API key to clients, in order for them to make requests to TMDB directly. This is primarily in the context of rate limiting, which would be a real concern with a server acting as intermediary for a large number of clients.

I'm naturally disinclined to do this without further confirmation, of course, since no matter the obfuscation, once an API key ends up on the client it functionally becomes public. Is this really the recommended practice? Mightn't it be better to have a way to issue the clients their own keys? Think something like POST /3/authentication/client-key or whatever makes sense. Potentially these keys could also be time-limited.

If this is totally unnecessary, I'm also happy to have confirmation that it's completely fine to distribute the API key to clients and let them make requests independently :)