Is there any security concern with having no org ids for keys or apis?

I’m running into the same issue here:

Are you saying that in the example above, passing “test_key” should still work? That has not been my experience.