OpenAI launches Workload Identity Federation for keyless API authentication

OpenAI introduced Workload Identity Federation on May 26, 2026, a security capability that lets enterprise workloads authenticate to the OpenAI API without storing long-lived API keys. Trusted workloads instead exchange identity tokens issued by their existing cloud providers — AWS, Azure, Google Cloud, Kubernetes, or GitHub Actions — for short-lived OpenAI access tokens.

What's new

Workload Identity Federation works through a token exchange: a workload presents an OIDC identity token from its cloud or CI provider, and the OpenAI platform returns a short-lived access token scoped to that workload. No static API key is required, and no secret needs to be stored in environment variables or secrets managers.

The feature supports five major platforms at launch:

• AWS: EKS projected service account tokens and outbound OIDC federation
• Microsoft Azure: Managed Identity tokens
• Google Cloud: GKE service account tokens and metadata server identities
• Kubernetes: projected service account tokens from any cluster
• GitHub Actions: OIDC tokens generated per-workflow-run

Organization limits apply: up to 50 Workload Identity Providers per org, each with up to 50 service account mappings. Service account mappings define which external identity claims are allowed to obtain tokens for a given OpenAI service account.

Context

Managing long-lived API keys is a persistent pain point for engineering teams operating at scale. Static keys must be rotated regularly, protected from accidental logging, kept out of source control, and distributed securely across services — work that compounds with team and deployment size. Key compromise in any of those steps can expose an organization's entire quota and cost exposure.

OpenAI has steadily expanded its enterprise security infrastructure in 2025-2026, adding fine-grained Admin API controls, per-project key scoping, and spend alerts. Workload Identity Federation addresses the credential-management problem at a more fundamental level by eliminating the static key entirely for supported deployment environments.

Several enterprise platforms — Google Cloud, AWS, and GitHub — have offered workload identity federation for their own APIs for years. OpenAI's launch brings the pattern to AI API access, aligning with how security-conscious teams already manage other service-to-service authentication.

Why it matters

For teams running AI workloads in production cloud environments, this change closes a common credential-hygiene gap. A CI/CD pipeline running model evaluations, a containerized agent fleet on Kubernetes, or a GitHub Actions workflow running automated tests can now authenticate using ephemeral tokens that expire after each run. There are no secrets to rotate, no risk of leaked keys in build logs, and no manual secret distribution.

The adoption path is low-friction for teams already using one of the five supported platforms — identity federation is already configured for other cloud services in most mature cloud environments, and extending it to OpenAI follows the same pattern. Organizations handling sensitive data or operating under compliance frameworks that restrict long-lived credential storage will find this feature particularly relevant.