A manifesto against insecure machine authentication
Stop passing around API keys. They are the shared passwords of the machine world.
They don't expire.
They can't be scoped.
They leave no audit trail.
We stopped trusting passwords for humans years ago.
It's time to stop trusting them for machines.
Has this actually caused real problems? Yes. Repeatedly. At scale.
A breach forced every CircleCI customer to rotate every secret in their CI environment. Thousands of organizations scrambled to replace API keys across their entire infrastructure — overnight.
An attacker social-engineered past MFA, then found PowerShell scripts containing hardcoded AWS credentials on an internal file share. Those keys unlocked Uber's cloud infrastructure.
Lapsus$ leaked SmartThings source code. Buried inside: AWS keys, GitHub tokens, Artifactory credentials — all plaintext, all active.
Attackers modified Codecov's Bash uploader to silently exfiltrate environment variables — including API keys — from thousands of CI pipelines. Two months before anyone noticed.
Twitch's entire source code was leaked, complete with API keys and credentials scattered throughout. 125 GB of proof that secrets in code are only secret until they aren't.
Attackers found Tesla's Kubernetes console exposed without auth. Inside: AWS credentials. Used to run cryptominers on Tesla's cloud bill.
git push
with a secret in the repo, it has already failed.
This is not a tooling problem you can patch with secret scanners. API keys are architecturally broken:
They live forever unless someone remembers to rotate them
One key, full access, all the time
Who used this key? When? From where? You'll never know
The #1 secret type found in public repositories
Both sides store the same value. Compromise either, compromise both
Every provider does it differently, if at all
Revoke one consumer's access and break everyone else's
When the providers who issue API keys tell you not to use them, it's time to listen.
Recommends IAM roles over access keys and flags long-lived keys as a security finding
Recommends workload identity federation over service account keys
Recommends managed identities and is deprecating shared key auth on storage
Offers OIDC for Actions and fine-grained tokens with expiration
Not sure which alternative fits? Walk through it.
Need more detail? Use the full interactive decision tree with pros, cons, and provider-specific guidance.
We also used to telnet into production. We used to FTP deploy by dragging files into a folder. We used to email spreadsheets of shared passwords.
The industry moved on from every one of those, and nobody misses them.
API keys had their moment. That moment was 2008.
We now have OAuth 2.0, OIDC, workload identity, mTLS, and a dozen standards that don't require you to copy-paste a secret into a
.env file and pray.