It gives you a single place to manage roles and access, RBAC. Saving you the hassle of managing api key generation- and provisioning for N consumers multiplied by M services. Second thing would be that you don’t have to think about api key rotations and revocation everywhere, the only auth is done to the idp (possibly with mfa) and from there everything else is short lived tokens.