I'd expect the security team to realize what the code is treating as a secret isn't actually secret.

But there's a second insight that seems tough for a security review to catch. You have to realize that even though you can't do anything obviously malicious with the API, there is a billing problem.

Have you been on these reviews? The idea that the review will catch a misuse of the key generation infrastructure is a bit over the top.

Maybe the experienced security reviewers were laid off.