Caller Chosen Key

A server signs a bearer token with a key the caller provides on the request, then accepts that same caller-supplied key on verification. The signature binds only that the caller could ask for issuance, not that they held any credential.