What changes
The credential boundary leaves the local host entirely.
The host now presents its own backend token and user identity. The backend decides whether to forward the call and which upstream secret to use.
Boundary
The local host no longer touches the provider credential directly; it only talks to your backend contract.
Real-world analog
Internal API gateway, backend-for-frontend, or managed-identity-backed app service.
Security companion: backend or managed identity path.