12.3 Static API Keys & Service Secrets
When authority is cryptographic and scoped, static API keys become obsolete.
Legacy API Key Model vs PTERI
| Category | Traditional Model | Problems | PTERI Replacement |
|---|---|---|---|
| Authentication Method | Long-lived API keys | Key leakage | Signed requests |
| Storage Model | Stored in environment variables | Secrets exposed in logs, CI/CD, or memory | No stored secrets |
| Service Architecture | Shared across services | No attribution | Machines have unique cryptographic identities |
| Authorization Model | Key grants ambient authority | No intent verification | Scoped authority per request |
| Key Lifecycle | Manual rotation required | Difficult rotation | No rotation needed (no reusable secret) |
| Auditability | Key use not tied to intent | Cannot prove who approved what | Deterministic verification |
Core Principle
"Machines become cryptographic identities, not secret holders."
When every request is signed, authority is explicit, scoped, and verifiable — not embedded in static secrets.