Aye, though I didn't want to complicate the "everything needs my API key" correction with discussion of providing CSRs separately.

That and I've not played with doing that myself yet, so while I know it is possible I can't talk about it authoritatively.