In 4.7.0, OpenAPI generation raises a 'audiences must be a dict when third-party issuers are in use' exception if non-Google Auth issuers are in use. However, api_key is technically treated as an issuer, even though it's a different kind of security control. Ignore api_key for these purposes.