I wrote a post[0] a few years ago about how you basically get OAuth when you start layering security principles (rotation, time limits, central verification) onto API keys.

Turns out those standards writers knew something!

0: https://fusionauth.io/blog/securing-your-api