The Business Case for Keyless APIs: Reducing Liability and Increasing Revenue

The headache you’re living with

Your APIs and on-chain interactions are still relying on those old static credentials. Think about it--CI jobs, mobile apps, partner integrations, and even IoT firmware are all stuck using long-lived API keys and seed phrases. These things are nearly impossible to track down, refresh, or revoke when you need to. And while that’s going on:

• Secrets exposure is on the rise again: a whopping 23.8 million secrets were leaked on public GitHub in 2024, which is a 25% increase year over year. Plus, it turns out that 70% of the secrets leaked in 2022 were still valid in 2024. Just one compromised key is enough for attackers to slip past all your other defenses. (blog.gitguardian.com)
• Regulators are stepping up their game: NIST wrapped up SP 800‑63‑4 in July/August 2025, which now includes synced passkeys. DORA has been in effect since January 17, 2025, and eIDAS 2.0 is pushing EU member states to roll out a digital identity wallet by 2026. When you're going through procurement, expect questions about how your architecture fits into these new requirements. (csrc.nist.gov)
• Your developers are battling UX debt: those annoying password resets and seed phrase issues can really hurt your conversion rates. But on the bright side, passkeys are becoming the norm now--69% of consumers have at least one, leading to significantly higher sign-in success rates. (fidoalliance.org)

Result: missed launch dates, audit findings, revenue lost to abandoned carts and failed sign-ins, plus a lingering risk register packed with those “rotate keys quarterly” tasks that just never seem to get done.

The risk you can’t ignore in 2026

• Did you know that “non‑human identities” like API keys, service accounts, and automation tokens actually outnumber real employees? They're often left unmanaged across platforms like Slack, Jira, container images, and Docker registries. Even organizations that use secrets managers aren't safe--leaks still happened at around 5.1% in 2024. That's quite a liability, isn't it? (blog.gitguardian.com)
• Time’s ticking on compliance:
  • DORA is shaking things up with strict requirements for third-party oversight, information registries, and major incident reporting that needs to happen in hours instead of days. If credentials leak now, it’s not just ‘bad luck’; it’s a failure in governance. (eba.europa.eu)
  • NIST 800‑63‑4 is all about promoting passwordless (syncable) authenticators and federation. If you're still using long-lived API keys or traditional passwords when there are stronger, phishing-resistant solutions out there, you might find yourself in a tough spot on a vendor risk questionnaire. (nist.gov)
  • With eIDAS 2.0 and the EU Digital Identity Wallet, you need to align with relying parties for age verification, KYC, or attribute proofs. Basically, your APIs will require verifiable assertions instead of relying on shared secrets. (consilium.europa.eu)
• Onchain user experience continues to be a sneaky downfall: when users have to deal with things like native gas fees and seed phrases, it often leads to abandonment. But good news! Using USDC gas with Paymasters and passkeys takes away those annoying hurdles. Plus, Pectra’s EIP‑7702 (scheduled for May 7, 2025) is set to make these processes top-notch for EOAs. (circle.com)

7Block Labs’ Keyless API methodology

We're transforming “key sprawl” into a more secure and reliable way to access your Web2 APIs and Web3 stack--by making it identity-bound, signed, and provable.

1) Keyless foundation for Web2 APIs (M2M, B2B, device)

Swap out bearer keys for sender-constrained, short-lived tokens and add in message-level proofs.

• OAuth 2.1 profile + sender‑constrained tokens:
  • mTLS‑bound tokens (RFC 8705) are designed for servers, agents, and those super-critical backends. These tokens tie directly to the client using certificates, and any replayed tokens will get booted at the TLS level. Check it out here: (rfc-editor.org).
  • DPoP (RFC 9449) is for those browser, mobile, and public clients--you get application‑layer proof‑of‑possession with this one. It’s already been jumped on by Okta, Auth0, and Keycloak back in 2025. Dive into the details: (ietf.org).
  • Keep an eye on the latest OAuth 2.1 drafts so you can phase out those outdated flows and sync up with security best current practices. More info here: (ietf.org).
• HTTP Message Signatures (RFC 9421) are a solid way to ensure non-repudiation for those crucial API calls (think purchases, payouts, admin changes) using Ed25519/P‑384. They're intermediary-tolerant, standardized, and make auditing a breeze. Learn more at: (rfc-editor.org).
• Workload Identity Federation means no more service-account keys. Instead, you can federate into Google Cloud via STS, which is way safer than handing out JSON keys. Plus, you can do something similar using IAM Roles Anywhere for AWS. Seriously, no long-lived keys on your CI or laptops! More details: (docs.cloud.google.com).
• mTLS at the edge for devices/legacy: Think of API Shield-style client certs for your IoT devices or mobile apps where an IdP sign-in isn’t an option. Get the scoop here: (developers.cloudflare.com).

What you get with this:

• “Token replay is blocked by design” (thanks to mTLS/DPoP).
• Say goodbye to storing and sharing those static API keys.
• Ensures each request is verifiable and secure for those high-stakes operations (hello, HTTP signatures).

2) Keyless for Web3 -- passkeys + account abstraction, without seed phrases

Ship the “no-seed, no-gas” user experience while keeping self-custody controls intact.

• Passkey sign-in (WebAuthn/FIDO2) is here to make wallet actions super easy--it's perfect for both everyday users and businesses. Check out how Coinbase Smart Wallet has integrated native passkey flows for a smooth experience across different devices. (help.coinbase.com)
• Account Abstraction is now in full swing:
  • We’ve got ERC‑4337 smart accounts along with paymasters, session keys, and spending limits. It's all about making things more user-friendly. (docs.erc4337.io)
  • EIP‑7702 has been live since May 7, 2025, allowing Externally Owned Accounts (EOAs) to act like smart accounts temporarily. This means your users can keep using the same address while you add cool features like programmable policies and gas abstraction. (blog.ethereum.org)
• Here’s a look at permissions and sessions that the Product can work with:
  • EIP‑5792 wallet_sendCalls helps with discovering capabilities for batching and sponsorship. What a time-saver! (docs.dynamic.xyz)
  • ERC‑7715 wallet_grantPermissions allows you to set time-limited, contract-specific permissions (like, “up to $25 of ERC‑20 per day at this marketplace”). Pretty neat, right? (eips.ethereum.org)
  • We’re also seeing some exciting new features coming in, like ERC‑7867 flow control and ERC‑7682 auxiliary funds for safer batching and gas management. (eips.ethereum.org)
• USDC Gas via Paymasters (Circle) means users can now pay fees in USDC across major EVMs--talk about flexibility! With EIP‑7702 support, EOAs can benefit from this too. The pricing was free until June 30, 2025, and now a typical surcharge on gas is about 10%. Say goodbye to the “you need ETH first” hassle! (circle.com)

What you get with this:

• Smooth onboarding using passkeys that are resistant to phishing.
• One-click sessions where you can set clear budgets and expiration times.
• Fewer drop-offs since users won't need to deal with native gas.

3) Compliance‑ready controls (2025-2026)

• When it comes to authenticators and federation, make sure to align them with NIST SP 800‑63‑4. You want to focus on syncable passkeys (AAL2+), set up phishing-resistant flows, and manage those federation assertions properly. Check out more details at nist.gov.
• For DORA alignment, it's time to ditch those long‑lived secrets. Prove you have strong access controls in place and get ready for “major incident” telemetry. You’ll need to prepare things like JA3/JA4, DPoP thumbprints, and mTLS cert hashes for those 4‑hour notifications. More info can be found at eba.europa.eu.
• Looking ahead to 2026, make sure you’re ready for eIDAS 2.0 and the EUDI Wallet as a relying party. Design your APIs to accept verifiable attributes instead of just screenshots. You can learn more about it at consilium.europa.eu.

4) Execution blueprint (90 days)

• Week 0-2: Kick things off with a secrets risk census (think code, CI, containers, and collaboration tools) and create a “kill list” for those high-blast-radius keys. Let's put some rotation freezes in place and get WIF/assume-role patterns up and running.
• Week 3-6: Next up, let’s switch our first M2M integrations over to OAuth with mTLS/DPoP. We’ll also wire up HTTP Message Signatures for our admin and payout endpoints and enable passkeys for customer authentication.
• Week 7-10: Time to pilot the ERC‑4337/EIP‑7702 wallet using ERC‑7715 permissions along with Circle Paymaster. We’ll be measuring conversion rates and tackling support tickets during this phase.
• Week 11-13: Finally, we’ll put together a cutover plan that includes partners, mobile apps, and device fleets. We’ll deprecate those static keys in our pipelines and compile a compliance evidence pack for both Procurement and Security.

We make it happen and strengthen our solutions through:

• Custom integrations with our blockchain integration and web3 development services.
• On-chain policy design and thorough audits offered by our security audit services.
• Smart accounts and dApp builds crafted through our smart contract development, dApp development, and DeFi development services.
• Cross-chain user journeys thanks to our cross-chain solutions development and blockchain bridge development.
• Productized platforms like asset tokenization and marketplaces, which we create through our asset tokenization and asset management platform development.

Prove -- GTM metrics tied to ROI and procurement checklists

What Leaders Can Measure in Quarter One:

As we dive into the first quarter, there are a few key metrics and indicators that leaders should keep an eye on:

1. Sales Performance
   Check out how your sales team is doing compared to your goals. Are they on track? Any trends popping up?
2. Customer Engagement
   Look at how your customers are interacting with your brand. Are they visiting your website, engaging on social media, or reaching out with inquiries?
3. Employee Productivity
   Take a peek at how engaged and productive your team members are. Are they hitting their targets? What’s the morale like?
4. Financial Health
   Review your financial statements. Are you sticking to your budget? How is your cash flow looking for the start of the year?
5. Market Trends
   Stay updated on any shifts in your industry. What’s new? Are there emerging trends you should be aware of?
6. Customer Feedback
   Gather insights from your customers. What are they saying about your products or services? This can be a goldmine for improvement.
7. Operational Efficiency
   Assess how smoothly everything's running. Are your processes efficient, or is there room for improvement?
8. Goal Progress
   Revisit the goals you set at the beginning of the year. How far along are you, and do any adjustments need to be made?

By keeping track of these aspects in the first quarter, you'll have a solid foundation to build on for the rest of the year.

• Security/Risk
  • The goal is to hit a “Zero long‑lived secrets in CI and app repos” KPI--this is powered by GitGuardian scans. We're aiming for a 90% cut in valid leaked secrets within 60 days. Considering the landscape with a whopping 23.8 million leaks in 2024, and 70% of those still hanging around two years later, achieving this will definitely be a big win at the board level. Check out more about it here.
  • We’re implementing sender‑constrained tokens in our logs, like mTLS cert thumbprints or DPoP jkt, to make replay attacks tougher. Plus, we’re using HTTP Message Signatures for all payout and admin calls--more on that can be found here.
• Revenue/Conversion
  • We've got some exciting plans for passkey sign‑ins! Our target? A 20-30% boost in successful sign‑ins. Benchmarks are promising, showing massive differences (like over 90% success rates compared to around 60-70% for regular passwords). Plus, it looks like 69% of consumers are already on board with at least one passkey. Fewer resets will mean fewer folks dropping off. You can read more about this here.
  • We're also focusing on improving the onchain completion rate. By adding USDC gas through Paymaster and making ERC‑7715 permissions a one-click thing, we can cut down on those “need native token” drop-offs. Circle reports that they’re all about multi‑chain EVM support and EIP‑7702 compatibility for EOAs--check it out here.
• Opex/Time‑to‑Market
  • We’re looking to make life easier by cutting down on key rotation and rollout hassle. Using WIF and OAuth for device/agent registration will help lower the ticket volume and avoid those annoying “hot potato” rotations every time there’s an incident. For more details, see here.
  • We’re speeding up procurement too! By providing mappings to NIST 800‑63‑4 AALs and the DORA ICT RMF, we can reduce the back-and-forth on security questionnaires. For more info on this, check this link out here.
• Sender-constrained token (DPoP) for a SPA calling your API:
  • The client creates a temporary keypair and adds a DPoP header, which is a signed proof for htm, htu, iat, and a nonce if needed. Your Authorization Server then hands out a dpop access token with cnf.jkt. The resource server checks both the token and the proof for each request. This has been backed by major IdPs since 2025. (ietf.org)
• Certificate-bound OAuth (RFC 8705) for backend jobs:
  • When a CI runner needs to authenticate, it uses mutual TLS, and the Authorization Server ties the token to the client certificate. So even if the token somehow ends up in the logs, no worries--it can’t be used without the private key. (rfc-editor.org)
• Verifiable API operations with HTTP Message Signatures:
  • Sign things like @method, @target-uri, date, content-digest, and a business header (like x-order-id) using Ed25519. It’s smart to keep those signature verification artifacts handy for any disputes that might come up. (rfc-editor.org)
• Passkeys + EIP-7702 + ERC-7715 for consumer actions:
  • Users log in with a passkey, and the wallet grants a session permission for 24 hours: “call Contract X → method Y, daily cap $50 USDC, gas via Paymaster.” The dApp then sends a batched wallet_sendCalls (EIP-5792); there are no extra prompts unless the budget runs out or time runs out. Thanks to EIP-7702, you can keep EOA compatibility without any hassle. (docs.dynamic.xyz)
• Gas abstraction via USDC:
  • Work in Circle Paymaster: get an EIP-2612 permit, create a UserOp, and send it to a bundler. Circle takes care of the native gas and charges the user in USDC (with fees waived until 06/30/2025; usually around 10% of gas costs). This works with seven major EVM chains and EOAs post-7702. (circle.com)
• Workload Identity Federation (no JSON keys in CI):
  • Use GitHub Actions OIDC to get into Google STS for a short-lived access token; or use mTLS/X.509 with AWS IAM Roles Anywhere for some temporary credentials. No key files to sweat over. (docs.cloud.google.com)
• mTLS for devices:
  • Make sure to provision device client certificates and only allow API access with valid client cert chains (Cloudflare API Shield even supports using your own CA for enterprise PKI). (developers.cloudflare.com)

Audience -- who this is for (and the words you need in your deck)

• CIO / VP Platform Engineering: “We’re diving into OAuth 2.1, plus checking out RFC 8705 for mTLS and RFC 9449 for DPoP. Don’t forget about HTTP Message Signatures (RFC 9421), OIDC Federation, and Workload Identity Federation.”
• CISO / Risk: “We’re focusing on sender-constrained tokens and device-bound credentials. Plus, we’re rolling out keyless CI/CD and ensuring audit-grade non-repudiation, alongside gathering incident telemetry (think DPoP jkt and mTLS thumbprints). And let’s not overlook our readiness for DORA’s 4-hour reporting.”
• VP Product / Head of Growth: “We’re optimizing passkey funnels with a fantastic 93% success rate, implementing one-click ERC-7715 sessions, and tackling USDC gas abstraction to cut down on abandonment rates.”
• Head of Payments/Treasury: “We’re working with EIP-7702 smart EOAs and ERC-4337 paymasters, rethinking the USDC fee UX, streamlining reconciled gas costs, and putting in place programmable spend caps.”
• Procurement / Legal: “We’re aligning with NIST SP 800-63-4 mapping (AAL2+), tackling DORA ICT RMF controls, and exploring the eIDAS 2.0 EUDI Wallet reliance model while reducing vendor risk by avoiding static keys.” (csrc.nist.gov)

Why 7Block Labs

We connect the nitty-gritty of protocols with the bigger picture at the board level. Our team rolls out OAuth DPoP/mTLS and HTTP-signed APIs, all while working on EVM smart-account stacks using ERC-4337/EIP-7702 and USDC paymasters. Once that's done, we provide Procurement with a neat 800-63-4/DORA evidence pack. Check out our blockchain development services and cross-chain solutions. And when it's time for the security review, we make sure to include our security audit services.

Best emerging practices for 2026 (brief, in‑depth)

• Go with DPoP for public clients and mTLS for server/service and device setups. Pair that with HTTP Message Signatures for those critical writes; don’t just rely on Bearer tokens. Check it out here: (ietf.org)
• Time to ditch service-account keys! Switch to Workload Identity Federation and role impersonation wherever you can. Set up org policies that ban key creation for good. Get more details here: (docs.cloud.google.com)
• Let’s make passkeys the go-to option! Keep those fallback paths to a minimum. Use platform keychains or enterprise passkey managers with recovery options, sticking to the 800‑63‑4 guidance. Learn more at: (nist.gov)
• Standardize smart-account features for apps using EIP‑5792. Control those “power user” flows with ERC‑7715 permissions instead of messy session keys. For more info, check this out: (docs.dynamic.xyz)
• When it comes to on-chain fees, opt for USDC gas (Circle Paymaster) for consumer transactions. For B2B, sponsor gas with clear guardrails and list the surcharge as COGS. Dive deeper here: (developers.circle.com)
• Keep your logs in line with incident obligations: retain DPoP jkt, mTLS cert hashes, HTTP signature metadata, and OAuth token IDs to piece together event timelines (DORA major-incident reporting). Full details can be found here: (eba.europa.eu)
• Get ready for Ethereum Pectra (Mainnet launching on May 7, 2025) and use this as a reason to prioritize those 7702/4337 hybrid wallets now--no need for address migration! Check out the scoop over at: (blog.ethereum.org)

---

We’ll design and set up everything from start to finish, and then show your teams how to run it smoothly. Check out our other offerings: custom blockchain development services, blockchain integration, smart contract development, and dApp development.

---

CTA

Hey there! If you're the VP of Platform or CISO responsible for managing API risk and conversion this quarter, we’d love to hear from you. Please share your highest-risk API and the on-chain flow that gets the least attention.

In just 21 days, we’ll take care of replacing static keys with DPoP/mTLS along with HTTP signatures. Plus, we’ll roll out passkeys and ERC-7715 sessions using USDC for gas. To top it off, we’ll provide you with a mapped NIST 800-63-4/DORA evidence pack, all set to go for Procurement before your Q2 board meeting. Looking forward to collaborating!