I think it's fair to describe the need for signing as a lemming. However, I wonder why the initial evangelists of this standard (that is, in our current post-http era) chose signing instead of API Keys.

So often these kinds of things are a reaction to some negative experience.

I would be curious too. I think it comes down to the benefits are there and they're cheap enough that they may as well recommend a more secure approach.

Hey, author here. Pleasure to work on this article. I'd welcome strong opinions :-)