API Keys will never die. Every time you would think you have killed them, some startup is gonna come and say "look how complicated it's to setup an OAuth flow just to get X from the other companies. Here is our setup" and it's 1 line of javascript or python with `let client = awesomeClient("{api-key}");` and everyone will love it.

Do you have any examples ?

It's the first time I hear about replacing API keys

And passwords. Shared secrets in general are a bad idea. If you're copy/pasting strings around to be used for authentication, you've done something wrong.

Workload identities and passwordless auth are the one true path.