they changed it but still kinda possible,
now humble bundle redirect you to steam.com/redeem?CDKEY blablabla
and if you are not logged it or your cookie timed out it will ask you to login again, the cdkey can then be fetch from the url if you know where to lock and when to look
Yep, the current link in use is https://store.steampowered.com/account/registerkey?key=[#####-#####-#####]. Both Chrono.gg and Humble present the purchaser with the same key-formatted activation link and it can be used without a Steam key to load a redemption page. The trouble with it is that it still ends up exposing the key before confirming the activation and can be farmed from it.
The old method used OAuth 2 to activate a game from a third-party site directly to Steam account but support for it ended in early 2015. Thereās some speculation as to why Steam stopped supporting OAuth 2 a few comments into this Reddit post. This kind of activation seemed to effectively prevent farming keys but nothing similar seems to be possible with Steam at the moment. 
i mean, what is the difference between bruteforcing key with oauth2 the link or via the steam appā¦ they should have timeout limits and other protection, i dont see how oauth2 was worst than passing key as argument
The OAuth 2 lead author resigned from the project citing numerous issues they saw with the specification. I donāt know exactly why Valve ended OAuth 2 but it certainly wasnāt looking good for OAuth 2 at that point.
Steam keys donāt have any real need to be hidden from the owner so in most contexts the web based activation is perfectly fine. It just doesnāt work well in situations where groups of keys are given away.
One other thing thatās important in all of this: costs & benefits. Was maintaining something similar to the older activation technique going to increase Valveās revenue by an appreciable margin? Maybe they didnāt think so.