diff --git a/extensions/common/auth/auth-delegated/src/main/java/org/eclipse/edc/api/auth/delegated/DelegatedAuthenticationExtension.java b/extensions/common/auth/auth-delegated/src/main/java/org/eclipse/edc/api/auth/delegated/DelegatedAuthenticationExtension.java
index 04ebd41c130..bbcdbb2bdaa 100644
--- a/extensions/common/auth/auth-delegated/src/main/java/org/eclipse/edc/api/auth/delegated/DelegatedAuthenticationExtension.java
+++ b/extensions/common/auth/auth-delegated/src/main/java/org/eclipse/edc/api/auth/delegated/DelegatedAuthenticationExtension.java
@@ -17,11 +17,11 @@
 import org.eclipse.edc.api.auth.spi.ApiAuthenticationProvider;
 import org.eclipse.edc.api.auth.spi.AuthenticationService;
 import org.eclipse.edc.api.auth.spi.registry.ApiAuthenticationProviderRegistry;
-import org.eclipse.edc.api.auth.spi.registry.ApiAuthenticationRegistry;
 import org.eclipse.edc.keys.spi.KeyParserRegistry;
 import org.eclipse.edc.runtime.metamodel.annotation.Extension;
 import org.eclipse.edc.runtime.metamodel.annotation.Inject;
 import org.eclipse.edc.runtime.metamodel.annotation.Setting;
+import org.eclipse.edc.spi.EdcException;
 import org.eclipse.edc.spi.monitor.Monitor;
 import org.eclipse.edc.spi.result.Result;
 import org.eclipse.edc.spi.system.ServiceExtension;
@@ -45,29 +45,29 @@
 @Extension(value = DelegatedAuthenticationExtension.NAME)
 public class DelegatedAuthenticationExtension implements ServiceExtension {
 
-    public static final int DEFAULT_VALIDATION_TOLERANCE = 5_000;
     public static final String NAME = "Delegating Authentication Service Extension";
+    private static final int DEFAULT_VALIDATION_TOLERANCE = 5_000;
+    private static final String AUTH_KEY = "auth";
+    private static final String CONFIG_ALIAS = WEB_HTTP_PREFIX + ".<context>." + AUTH_KEY + ".";
+    private static final String DELEGATED_TYPE = "delegated";
+    @Deprecated(since = "0.12.0", forRemoval = true)
     private static final String KEY_URL_PROPERTY = "edc.api.auth.dac.key.url";
+    @Deprecated(since = "0.12.0", forRemoval = true)
+    private static final String DEPRECATED_AUTH_CACHE_VALIDITY = "edc.api.auth.dac.cache.validity";
 
-    @Deprecated(since = "0.7.1")
-    @Setting(description = "Duration (in ms) that the internal key cache is valid", defaultValue = "" + DEFAULT_CACHE_TIME_TO_LIVE, key = "edc.api.auth.dac.cache.validity", required = false)
-    private long cacheValidityMs;
-
-    @Deprecated(since = "0.7.1")
-    @Setting(description = "URL where the third-party IdP's public key(s) can be resolved", key = KEY_URL_PROPERTY, required = false, warnOnMissingConfig = true)
-    private String keyUrl;
-
-    public static final String AUTH_KEY = "auth";
-    public static final String CONFIG_ALIAS = WEB_HTTP_PREFIX + ".<context>." + AUTH_KEY + ".";
     @Setting(context = CONFIG_ALIAS, description = "URL where the third-party IdP's public key(s) can be resolved for the configured <context>")
     public static final String AUTH_KEY_URL = "dac.key.url";
     @Setting(context = CONFIG_ALIAS, description = "Duration (in ms) that the internal key cache is valid for the configured <context>", type = "Long", defaultValue = "" + DEFAULT_CACHE_TIME_TO_LIVE)
     public static final String AUTH_CACHE_VALIDITY_MS = "dac.cache.validity";
-    public static final String DELEGATED_TYPE = "delegated";
     @Setting(description = "Default token validation time tolerance (in ms), e.g. for nbf or exp claims", defaultValue = "" + DEFAULT_VALIDATION_TOLERANCE, key = "edc.api.auth.dac.validation.tolerance")
     private int validationTolerance;
-    @Inject
-    private ApiAuthenticationRegistry authenticationRegistry;
+    @Deprecated(since = "0.12.0", forRemoval = true)
+    @Setting(description = "Duration (in ms) that the internal key cache is valid", defaultValue = "" + DEFAULT_CACHE_TIME_TO_LIVE, key = DEPRECATED_AUTH_CACHE_VALIDITY, required = false)
+    private long cacheValidityMs;
+    @Deprecated(since = "0.12.0", forRemoval = true)
+    @Setting(description = "URL where the third-party IdP's public key(s) can be resolved", key = KEY_URL_PROPERTY, required = false, warnOnMissingConfig = true)
+    private String keyUrl;
+
     @Inject
     private ApiAuthenticationProviderRegistry providerRegistry;
     @Inject
@@ -88,20 +88,17 @@ public String name() {
     public void initialize(ServiceExtensionContext context) {
         var monitor = context.getMonitor().withPrefix("Delegated API Authentication");
 
-        if (keyUrl == null) {
-            monitor.warning("The '%s' setting was not provided, so the DelegatedAuthenticationService will NOT be registered. In this case, the TokenBasedAuthenticationService usually acts as fallback.".formatted(KEY_URL_PROPERTY));
-            return;
+        if (keyUrl != null) {
+            var message = "Settings %s and %s have been removed".formatted(KEY_URL_PROPERTY, DEPRECATED_AUTH_CACHE_VALIDITY) +
+                    ", to configure delegated authentication for management api please configure it properly through the " +
+                    "`web.http.management.auth.%s` and `web.http.management.auth.%s` settings".formatted(AUTH_KEY_URL, AUTH_CACHE_VALIDITY_MS);
+            context.getMonitor().severe(message);
+            throw new EdcException(message);
         }
 
-        //todo: currently, only JWKS urls are supported
-        var resolver = JwksPublicKeyResolver.create(keyParserRegistry, keyUrl, monitor, cacheValidityMs);
-
         tokenValidationRulesRegistry.addRule(MANAGEMENT_API_CONTEXT, new NotBeforeValidationRule(clock, validationTolerance, true));
         tokenValidationRulesRegistry.addRule(MANAGEMENT_API_CONTEXT, new ExpirationIssuedAtValidationRule(clock, validationTolerance, true));
 
-        // always register - this would potentially overwrite other services
-        authenticationRegistry.register("management-api", new DelegatedAuthenticationService(resolver, monitor, tokenValidationService, tokenValidationRulesRegistry));
-
         providerRegistry.register(DELEGATED_TYPE, (cfg) -> delegatedProvider(monitor, cfg));
     }
 
diff --git a/extensions/common/auth/auth-tokenbased/README.md b/extensions/common/auth/auth-tokenbased/README.md
deleted file mode 100644
index a19a7200295..00000000000
--- a/extensions/common/auth/auth-tokenbased/README.md
+++ /dev/null
@@ -1,21 +0,0 @@
-# Token Based Authentication Service
-
-The token based authentication service extension is used to secure connector APIs. These APIs are not protected by the `AuthenticationService` by default. To find out how a specific API is protected please consult its documentation.
-
-APIs, protected by this extension, require a client to authenticate by adding a authentication key to the request header.
-
-Authentication Header Example:
-```
-curl <url> --header "X-API-Key: <key>"
-```
-
-## Configuration
-
-| Key                    | Description                                                  | Required |
-|:-----------------------|:-------------------------------------------------------------|:---------|
-| edc.api.auth.key       | API Key Header Value                                         | false    |
-| edc.api.auth.key.alias | Secret name of the API Key Header Value, stored in the vault | false    |
-
-- If the API key is stored in the Vault _and_ in the configuration, the extension will take the key from the vault.
-
-- If no API key is defined, a random value is generated and printed out into the logs.
\ No newline at end of file
diff --git a/extensions/common/auth/auth-tokenbased/src/main/java/org/eclipse/edc/api/auth/token/TokenBasedAuthenticationExtension.java b/extensions/common/auth/auth-tokenbased/src/main/java/org/eclipse/edc/api/auth/token/TokenBasedAuthenticationExtension.java
index fe9f004b3d3..277fa244ef8 100644
--- a/extensions/common/auth/auth-tokenbased/src/main/java/org/eclipse/edc/api/auth/token/TokenBasedAuthenticationExtension.java
+++ b/extensions/common/auth/auth-tokenbased/src/main/java/org/eclipse/edc/api/auth/token/TokenBasedAuthenticationExtension.java
@@ -19,10 +19,10 @@
 import org.eclipse.edc.api.auth.spi.ApiAuthenticationProvider;
 import org.eclipse.edc.api.auth.spi.AuthenticationService;
 import org.eclipse.edc.api.auth.spi.registry.ApiAuthenticationProviderRegistry;
-import org.eclipse.edc.api.auth.spi.registry.ApiAuthenticationRegistry;
 import org.eclipse.edc.runtime.metamodel.annotation.Extension;
 import org.eclipse.edc.runtime.metamodel.annotation.Inject;
 import org.eclipse.edc.runtime.metamodel.annotation.Setting;
+import org.eclipse.edc.spi.EdcException;
 import org.eclipse.edc.spi.result.Result;
 import org.eclipse.edc.spi.security.Vault;
 import org.eclipse.edc.spi.system.ServiceExtension;
@@ -30,7 +30,6 @@
 import org.eclipse.edc.spi.system.configuration.Config;
 
 import java.util.Optional;
-import java.util.UUID;
 
 import static org.eclipse.edc.web.spi.configuration.WebServiceConfigurer.WEB_HTTP_PREFIX;
 
@@ -42,25 +41,27 @@
 public class TokenBasedAuthenticationExtension implements ServiceExtension {
 
     public static final String NAME = "Static token API Authentication";
-    public static final String AUTH_KEY = "auth";
+    private static final String AUTH_KEY = "auth";
+    private static final String CONFIG_ALIAS = WEB_HTTP_PREFIX + ".<context>." + AUTH_KEY + ".";
+    private static final String TOKENBASED_TYPE = "tokenbased";
+    @Deprecated(since = "0.12.0", forRemoval = true)
+    private static final String AUTH_SETTING_APIKEY = "edc.api.auth.key";
+    @Deprecated(since = "0.12.0", forRemoval = true)
+    private static final String AUTH_SETTING_APIKEY_ALIAS = "edc.api.auth.key.alias";
 
-    public static final String CONFIG_ALIAS = WEB_HTTP_PREFIX + ".<context>." + AUTH_KEY + ".";
-    @Setting(context = CONFIG_ALIAS, value = "The api key to use for the <context>")
+    @Setting(context = CONFIG_ALIAS, description = "The api key to use for the <context>")
     public static final String AUTH_API_KEY = "key";
-    @Setting(context = CONFIG_ALIAS, value = "The vault api key alias to use for the <context>")
+    @Setting(context = CONFIG_ALIAS, description = "The vault api key alias to use for the <context>")
     public static final String AUTH_API_KEY_ALIAS = "key.alias";
-    public static final String TOKENBASED_TYPE = "tokenbased";
-    @Setting
-    @Deprecated(since = "0.7.1")
-    private static final String AUTH_SETTING_APIKEY = "edc.api.auth.key";
-    @Setting
-    @Deprecated(since = "0.7.1")
-    private static final String AUTH_SETTING_APIKEY_ALIAS = "edc.api.auth.key.alias";
+    @Setting(description = "DEPRECATED: auth key", key = AUTH_SETTING_APIKEY, required = false)
+    @Deprecated(since = "0.12.0", forRemoval = true)
+    private String deprecatedApiKey;
+    @Setting(description = "DEPRECATED: auth key alias", key = AUTH_SETTING_APIKEY_ALIAS, required = false)
+    @Deprecated(since = "0.12.0", forRemoval = true)
+    private String deprecatedApiKeyAlias;
+
     @Inject
     private Vault vault;
-    @Inject
-    private ApiAuthenticationRegistry authenticationRegistry;
-
     @Inject
     private ApiAuthenticationProviderRegistry providerRegistry;
 
@@ -71,13 +72,12 @@ public String name() {
 
     @Override
     public void initialize(ServiceExtensionContext context) {
-        var apiKey = Optional.ofNullable(context.getSetting(AUTH_SETTING_APIKEY_ALIAS, null))
-                .map(alias -> vault.resolveSecret(alias))
-                .orElseGet(() -> context.getSetting(AUTH_SETTING_APIKEY, UUID.randomUUID().toString()));
-
-        // only register as fallback, if no other has been registered
-        if (!authenticationRegistry.hasService("management-api")) {
-            authenticationRegistry.register("management-api", new TokenBasedAuthenticationService(apiKey));
+        if (deprecatedApiKey != null || deprecatedApiKeyAlias != null) {
+            var message = "Settings %s and %s have been removed".formatted(AUTH_SETTING_APIKEY, AUTH_SETTING_APIKEY_ALIAS) +
+                    ", to configure token based authentication for management api please configure it properly through the " +
+                    "`web.http.management.auth.%s` or `web.http.management.auth.%s` settings".formatted(AUTH_API_KEY, AUTH_API_KEY_ALIAS);
+            context.getMonitor().severe(message);
+            throw new EdcException(message);
         }
 
         providerRegistry.register(TOKENBASED_TYPE, this::tokenBasedProvider);
diff --git a/extensions/common/iam/identity-trust/identity-trust-sts/identity-trust-sts-accounts-api/src/main/java/org/eclipse/edc/api/iam/identitytrust/sts/accounts/StsAccountsApiExtension.java b/extensions/common/iam/identity-trust/identity-trust-sts/identity-trust-sts-accounts-api/src/main/java/org/eclipse/edc/api/iam/identitytrust/sts/accounts/StsAccountsApiExtension.java
index a3d3e16d06d..bd8ab40cf94 100644
--- a/extensions/common/iam/identity-trust/identity-trust-sts/identity-trust-sts-accounts-api/src/main/java/org/eclipse/edc/api/iam/identitytrust/sts/accounts/StsAccountsApiExtension.java
+++ b/extensions/common/iam/identity-trust/identity-trust-sts/identity-trust-sts-accounts-api/src/main/java/org/eclipse/edc/api/iam/identitytrust/sts/accounts/StsAccountsApiExtension.java
@@ -16,40 +16,35 @@
 
 import org.eclipse.edc.api.auth.spi.AuthenticationRequestFilter;
 import org.eclipse.edc.api.auth.spi.registry.ApiAuthenticationRegistry;
-import org.eclipse.edc.api.auth.token.TokenBasedAuthenticationService;
 import org.eclipse.edc.api.iam.identitytrust.sts.accounts.controller.StsAccountsApiController;
 import org.eclipse.edc.iam.identitytrust.sts.spi.service.StsAccountService;
 import org.eclipse.edc.runtime.metamodel.annotation.Extension;
 import org.eclipse.edc.runtime.metamodel.annotation.Inject;
 import org.eclipse.edc.runtime.metamodel.annotation.Setting;
-import org.eclipse.edc.spi.security.Vault;
+import org.eclipse.edc.spi.EdcException;
 import org.eclipse.edc.spi.system.ServiceExtension;
 import org.eclipse.edc.spi.system.ServiceExtensionContext;
 import org.eclipse.edc.web.spi.WebService;
 import org.eclipse.edc.web.spi.configuration.ApiContext;
 
-import static java.util.Optional.ofNullable;
-
 @Extension(value = StsAccountsApiExtension.NAME, categories = { "sts", "dcp", "api" })
 public class StsAccountsApiExtension implements ServiceExtension {
 
     public static final String NAME = "Secure Token Service Accounts API Extension";
     public static final String STS_ACCOUNTS_API_CONTEXT = "sts-accounts-api";
-
-    @Setting(description = "API key (or Vault alias) for the STS Accounts API's default authentication mechanism (token-based).", key = "edc.api.accounts.key")
+    @Deprecated(since = "0.12.0", forRemoval = true)
+    private static final String EDC_API_ACCOUNTS_KEY = "edc.api.accounts.key";
+    @Deprecated(since = "0.12.0", forRemoval = true)
+    @Setting(description = "API key (or Vault alias) for the STS Accounts API's default authentication mechanism (token-based).", key = EDC_API_ACCOUNTS_KEY)
     private String accountsApiKeyOrAlias;
 
     @Inject
     private StsAccountService clientService;
-
     @Inject
     private WebService webService;
     @Inject
     private ApiAuthenticationRegistry authenticationRegistry;
 
-    @Inject
-    private Vault vault;
-
     @Override
     public String name() {
         return NAME;
@@ -57,18 +52,17 @@ public String name() {
 
     @Override
     public void initialize(ServiceExtensionContext context) {
-
-        if (!authenticationRegistry.hasService(STS_ACCOUNTS_API_CONTEXT)) {
-            authenticationRegistry.register(STS_ACCOUNTS_API_CONTEXT, new TokenBasedAuthenticationService(resolveApiKey(context)));
+        if (accountsApiKeyOrAlias != null) {
+            var message = "Settings %s has".formatted(EDC_API_ACCOUNTS_KEY) +
+                    ", to configure authentication for sts-accounts api please configure it properly through the " +
+                    "`web.http.sts-accounts.auth.<type>.<params>` settings, refer to the documentation for details.";
+            context.getMonitor().severe(message);
+            throw new EdcException(message);
         }
+
         var authenticationFilter = new AuthenticationRequestFilter(authenticationRegistry, STS_ACCOUNTS_API_CONTEXT);
 
         webService.registerResource(ApiContext.STS_ACCOUNTS, new StsAccountsApiController(clientService));
         webService.registerResource(ApiContext.STS_ACCOUNTS, authenticationFilter);
     }
-
-    private String resolveApiKey(ServiceExtensionContext context) {
-        return ofNullable(vault.resolveSecret(accountsApiKeyOrAlias))
-                .orElse(accountsApiKeyOrAlias);
-    }
 }