Hot take: calling protocols like CHAP "authentication" protocols just because they prevent MITM (frontrunning) and replays, is misleading and yields a ton of vulnerable software.

People at best think of authentication as something to do with identity, not as of a way to validate integrity of an API request.

I'm currently making a CHAP-inspired implementation, and I think, I'm managing to document it well enough without claiming that it's an "authentication" solution.