Yeah requiring secret seems like a good path forward for non-oauth-like flows. 

I will send some PRs to clients to add support for it.

That bot will inevitably be made bcs it's quite trivial, so thank you for raising the issue sooner.