OpenAI: Workload Identity Federation eliminates long-lived API keys through OIDC token exchange
OpenAI Workload Identity Federation is a security mechanism that allows workloads to exchange externally issued OIDC identity tokens for short-lived OpenAI access tokens. Instead of storing long-lived API keys in code or configuration, the system supports Kubernetes, AWS, Azure, Google Cloud, GitHub Actions, and SPIFFE as trusted identity sources.
This article was generated using artificial intelligence from primary sources.
OpenAI announced Workload Identity Federation — a security mechanism that eliminates the need to store long-lived API keys in code or application configuration files.
How does identity token exchange work?
Workload Identity Federation relies on four components. First, a Workload Identity Provider is defined that describes a trusted external issuer with an OIDC endpoint, audience, and key verification source. Then Service Account Mapping authorizes specific attributes of the external token to create tokens for a specific OpenAI service account. In the third step, Token Exchange receives the external workload token and returns a short-lived OpenAI access token. Finally, the application uses this token as a bearer credential for API calls.
The system uses OIDC-compatible JWT tokens. Token attributes can be transformed through Common Expression Language (CEL) to derive custom matching criteria from token claims.
Which platforms and clouds are supported?
OpenAI provides dedicated integration guides for six platforms: Kubernetes (projected service account tokens), AWS (STS or EKS projected tokens), Microsoft Azure (managed identity or AKS tokens), Google Cloud (metadata server or GKE tokens), GitHub Actions (OIDC workflows), and SPIFFE (JWT-SVID standard for infrastructure).
Configuration is performed through Organization Settings > Security > Workload Identity Provider and is available to organization owners. JWKS verification supports both OIDC discovery and manually uploaded key sets. Discovery documents refresh every 600 seconds.
Why is this important for API access security?
Long-lived API keys represent a persistent security risk — once compromised, they allow unlimited access until manually revoked. Short-lived OIDC tokens automatically expire and are bound to the specific identity of the workload, significantly reducing the attack surface.
OpenAI recommends several practices: using separate service accounts per workload, separating development and production environments, precise claim matching (not just wildcards), and regular auditing of unused mappings. Mappings support wildcard matching, but only with a single trailing wildcard.
The introduction of this standard aligns OpenAI with the security practices that AWS, Google Cloud, and Azure already require from production workloads — the token exchange is based on the OAuth 2.0 Token Exchange specification (RFC 8693).
Frequently Asked Questions
- What is OpenAI Workload Identity Federation and what does it do?
- Workload Identity Federation is a mechanism that replaces static API keys with short-lived tokens. Workloads present an OIDC token from their cloud environment (AWS, Azure, GCP, GitHub Actions...) and receive a temporary OpenAI token for authentication in return.
- Which platforms does OpenAI Workload Identity Federation support?
- Supported platforms are Kubernetes (projected service account tokens), AWS (STS or EKS), Microsoft Azure (managed identity or AKS), Google Cloud (metadata server or GKE), GitHub Actions (OIDC workflows), and SPIFFE (JWT-SVID).
- How is the OpenAI Workload Identity Provider configured?
- Organization owners access settings via Organization Settings > Security > Workload Identity Provider. JWKS verification supports OIDC discovery and manually uploaded key sets; discovery documents refresh every 600 seconds.
📬 AI news in your inbox
A daily digest built your way — pick topics, sources and cadence. One-click unsubscribe.
Related news
arXiv:2607.12200: framework for measuring CBRN 'uplift' in frontier models — material risk confirmed only in radiological domain
LangChain: why AI agents need their own isolated computer (sandbox)
GitHub: AI security detections on pull requests and /security-review in the Copilot app