I wrote a post[0] a few years ago about how you basically get OAuth when you start layering security principles (rotation, time limits, central verification) onto API keys.

Turns out those standards writers knew something!

0: https://fusionauth.io/blog/securing-your-api

OAuth with refresh tokens.

IAM roles/workload identity.

Even time-limited or signed JWT, though has a separate issues.

Maybe you'll say 'those are both just text values passed like an apikey' though api keys don't frequently rotate/time limited, which is an important security feature.

This can be done in Azure using Entra (OAuth). I don't have API keys, or passwords of any kind, anywhere in the stack.

Infrastructure - https://dev.azure.com/byteterrace/Koholint/_git/Azure.Resour...

Server - https://dev.azure.com/byteterrace/Koholint/_git/Web.Function...

Client - https://dev.azure.com/byteterrace/Koholint/_git/Web.Portal

Workload identity. Whatever is using an API key could instead be given an identity, and narrow privileges assigned to that identity. API keys tend to be overscoped/overprivileged.