Scenario:
I am a developer minding my own business who wishes to delete assets via the API. The developer has admin permissions on both a dev environment and prod environment catalogue.
The developer stores his API key and secret to use as part of subsequent API calls but mistakenly removes .dev. from the URL and executes the API calls. The calls will now succeed on the prod catalogue because the security in place does not seperate credentials per environment.
In my opinion, the API secret and key should be allowed to be changed by the user, or click a button to generate or request new keys to be created, just like how API Keys are editable or allowed to be refreshed on many other API websites such as Github, Facebook, Google, etc etc.
IF the API key is not at least manually editable or renewed by the user, then the read-only API keys generated should somehow take into consideration the Environment so that the Api Key and Secret are unique across all catalogues.
I consider this a security issue that could cause a lot of harm by someone simply changing the URL, without having to change the credentials too.