Not an API bug, more of "lol centralauth". https://en.wikipedia.org/w/api.php?action=help&modules=centralauthtoken says "Source: AntiSpoof for CentralAuth" because we have multiple "extensions" pointing to the same directory.
The current ApiBase::getModuleSourceInfo() code actually takes the last match in $wgExtensionCredits for the directory, and $wgExtensionCredits['antispam'] winds up after $wgExtensionCredits['specialpage'] in the array. Making it "first match" instead would by chance probably fix CentralAuth as things are right now, but there's no guarantee that some future configuration change wouldn't cause $wgExtensionCredits['antispam'] to start coming first, and even if that doesn't happen it would misattribute any CA-sub-extension API modules as belong to the main CA extension were some sub-extension to get an API module.
The real fix is to put sub-extensions in subdirectories, like ConfirmEdit does. Or as long as ignoring the "misattribute any CA-sub-extension API modules" is ok, extend $wgExtensionCredits to have a property that indicates which is the "main" extension and have the API preferentially choose that when there are conflicts.