Skip to content
Deepak Gupta markTech Graveyard

Tech Graveyard/infrastructure

Static API Keys (1998 to Dying)

When one company runs 10,000 ephemeral AI agents, static API keys stop being a security gap and start being a security crisis.

Born 1998 · Still dying · Status: dying

Certificate of Death

Name of decedent

Static API Keys

Born
1998
Died
Age
28+

Cause of death

AI agent proliferation made unscoped long-lived secrets impossible to govern

Survived by

SPIFFE/SPIRE, workload identity federation, short-lived JWTs, mTLS

Invented by

Early SOAP and REST API designers

Status: DyingFinal breath: 2028

Filed by D. Gupta · guptadeepak.com

The hook

GitHub finds an average of one leaked secret every minute in public repos. The fix is not better scanning. It is making the secret short-lived enough that the leak does not matter.

Thesis. Static API keys worked for 25 years because the blast radius was bounded. AI agents broke that boundary.

The story

The origin

REST APIs needed simple auth. The API key was the path of least resistance. Stripe popularized the model for SaaS in 2010 to 2012, and every developer-facing API copied the pattern: a long random string, scope-less, valid until manually revoked.

The peak

By 2018 every SaaS product had API key authentication and a 'keep this secret' warning in the docs that nobody followed. The keys ended up in committed code, CI environment variables, Slack messages, screenshots in support tickets.

The leak epidemic

GitGuardian reports 12.8 million new secrets exposed in public repos in 2024. The actual number including private repos is higher. Most never get rotated. Notable breaches tied to leaked keys: Uber 2022, CircleCI 2023.

The AI multiplier

When an enterprise deploys 10,000 AI agents, each needing access to multiple services, static keys become ungovernable. The volume crosses the threshold where individual key management collapses.

The replacement

Workload identity federation. Short-lived tokens issued per request. SPIFFE/SPIRE for cross-cluster identity. mTLS for service-to-service. The replacement is mature; what is missing is the migration tooling.

Key data points

  • GitGuardian State of Secrets Sprawl 2024: 12.8M new secrets exposed
  • Average secrets per developer in industry surveys: around 45
  • SPIFFE/SPIRE: CNCF graduated 2022
  • Notable breaches tied to leaked API keys: Uber 2022, CircleCI 2023

Contrarian angle

Secret scanning tools are a profitable industry built on top of a broken model. The right move is not better scanning. The right move is making secrets that cannot be useful when leaked.

The flip side

What replaces it

The paired prediction in Future Tech.

Read the prediction

FAQ

Are personal access tokens the same problem?

Yes. PATs are static API keys with a fancier UI. The same blast-radius issues apply. GitHub has started shipping fine-grained PATs with expiration, which is the right direction.

How do AI agents get identities if not through API keys?

Workload identity federation. The agent runtime presents a verifiable attestation (cloud IAM token, OIDC claim) and exchanges it for a short-lived credential scoped to the specific tool call.

Is OAuth client_secret a 'static API key'?

Functionally yes, when it is long-lived. OAuth 2.1 and FAPI profiles increasingly require private_key_jwt and short token lifetimes for exactly this reason.

More from guptadeepak.com

Want the technical deep-dive on what replaces this?

Read the companion article

Related obituaries

More from the infrastructure graveyard.