The OIDC browser dance won't suffice for programmatic access. And it might become a hassle to maintain dedicated creds, ala "walker".

API keys would be nice indeed. The downside of that, and we saw that with Drogue, is that there seems to exist no standard alongside OIDC. So basically, we would roll out own key system.

I think there's a benefit in that. But I also think, we have more important things to do today. So relying on confidential OIDC clients (with client id + client secret) should be fine for now.