You can just decay your trust level based on the `iat` value. That way people will need to keep buying me coffee. I can optionally chide them for giving out their token.

If you're engaging with the idea seriously, I suppose we'd need to build a reputation or trust network or something.

Although if you're talking about replay attacks specifically, there are other crypto based solutions for that.

My point is that there probably is no way in principle to distinguish between a human user utilizing automation on their own behalf in good faith (e.g. RSS readers) and bad faith automations.

That's a feature, not a bug.

A human is personally responsible for a bot acting on their behalf. If your bot behaves, nothing is going to happen. If you keep handing out your personal keys to shitty misbehaving bots, then you will personally get banned - which gives you a pretty good incentive to be a bit more discerning about the bots you use.

Yes, everything should just be agnostic, as long as the incentives work out it's all fine. Like if we had worked out micropayments for the web (not saying that's a good idea per se), then who cares if you're a bot or a human when you're paying a toll either way? Flipping it to be a cost rather than payment is functionally equivalent.

I am engaging with this seriously! I don't know if there will be any real solution. But I think it's worth exploring.