you could always make it generate a new one unless it says "paid" in the nip-11
that seems like a logical way to deal with it IMO
not authing at all is not helpful, and i'm pretty sad at the lack of thinking going on among client devs about this who are literally saying, like you literally just did, about doxxing
you're the client dev
think!