That statement had me look into what is the DiscourseHub mobile application. As near as I can figure it is
My take on what you are saying is that
Users of the DiscourseHub mobile app are getting a user API key. The users do not know they are requesting a user API key because the app does it seamlessly. Also the request for user API will not show up in the report of listed keys.
It’s possible that your idea is correct, but I would feel more confident if I could review the code that implements it. Please excuse my cautious approach, as it’s common in my profession as a programmer to request direct access to the code in order to verify information. Since Discourse is an open source platform, examining the code would provide stronger evidence and help me better understand the situation. (ChatGPT rephrased that paragraph for me, my version sounded slightly harsh and that was not the intent.)