MixCraft started with static API keys—generate one from the web portal, paste it into your Claude Code config. The mx_ prefixed keys had no expiration, lived in shell history and dotfiles, and revoking one meant generating a new key and updating every client. Service tokens from third-party APIs expired after an hour with no refresh mechanism, so users would get silent failures mid-session. I needed to replace the whole auth model with OAuth. But worse, it didn't work well with claude.ai because we had no way to easily create a connector.