From shared keys to per-worker identity

A shared API key is convenient right up until something goes wrong. Then you discover that your logs record the key, not which of the five agents using it made the call. You cannot attribute the action, and you cannot revoke without breaking everyone.

Identity is an operational feature, not a formality

Per-worker identity means each agent carries its own scoped token tied to a role. That single change unlocks the operations you actually need when things get interesting:

• Attribution — every call names a worker, so "who did this?" has an answer.
• Surgical revocation — disable one worker without rotating a secret that five others depend on.
• Per-worker scope — different roles get different access, instead of all sharing the key's maximum.
• Clean rotation — cycle one worker's credentials without a fleet-wide outage.

"Which agent did this?" should never be answered with "we can't tell."

The migration is incremental

You do not have to flip everything at once. Stand up per-worker tokens behind a layer that holds the real credentials, move workers over one role at a time, and retire the shared key once the audit log shows nothing else depends on it. Grantry issues a scoped token per worker, so identity and least privilege arrive together rather than as separate projects.