This is one listed under Applications from June of 2018. If I swap to a Client ID from April of 2020, it returns the 401 with OAuth token is missing.
It also appears to not validate that the token and client ID match for these older IDs either. I can even pass through a blatantly fake token, such as ‘abc123’ with the older client IDs and the data comes back just fine. Likewise, I can pass through a valid token from the old client ID and a blatantly fake Client-ID such as ‘abc123’ and it works.
Edit: I just wanted to double check. Generated a new app token via a newer client ID. The token from the new client ID mixed with ‘abc123’ as the client ID gives me 401 Client ID and OAuth token do not match.
I’m not sure if this is a bug, or just something where I should be grateful for these old applications.