I’ve rebased this PR as I’m back to focusing on ActivityPub, and this is a potential framework for one of it’s features, as discussed in the OP.
https://github.com/discourse/discourse/pull/28119
While rebasing I noticed that separating keys from clients as this PR does would also solve issues like the one addressed recently by @nat
https://github.com/discourse/discourse/commit/ede06ffd439263c36ce7fad125efe556a1e8524f
Namely, the need to make this change, to destroy all old keys associated with a client, regardless of user, arises because keys and clients are in the same table. Separating them means you can just register a new key for the alternate user of the client.