The quickest way I can think of to keep a script key private when using a custom protocol handler would be to setup an API gateway.
Essentially, you could setup a web server, similar to how you would if using AMIs with HTTPS, but in this case you either:
- Have the server pass you back an API session token; or,
- Execute the desired code on the server, on the user’s behalf.
For example, if using Python, I’d probably setup a Flask server, then use the Requests library from the user’s machine to send execution requests to it.
Using an API gateway also allows you to log which users are sending which requests, should you be interested in that.
I’m sure there’s a few other ways that this could be done, but that’s what first comes to mind.