diff --git a/proposals/new/CLI-secret-for-api b/proposals/new/CLI-secret-for-api
new file mode 100644
index 00000000..3aebba24
--- /dev/null
+++ b/proposals/new/CLI-secret-for-api
@@ -0,0 +1,45 @@
+# Proposal: Use CLI secret for auth against the API (OIDC)
+
+Author: Luis Fittkau
+
+Discussion: -
+
+## Abstract
+
+Allow basic auth, consisting of username and CLI secret, in addition to the OIDC id token when authenticating against the API when OIDC is enabled. Deprecate auth via OIDC id token.
+
+## Background
+
+With OIDC enabled, it is not possible for a normal user to use the API without accessing the OIDC id token, which is not accessible by appropriate means; this proposal fixes that.
+
+The usual workaround for this is to use robot accounts, but that would mean that each user has to own a separate robot account just to access the API, which doesn't seem clean to me.
+Also, this means that robot accounts can not be created via the API by someone other than the local admin.
+
+The OIDC id token is accessible via either the harbor debug log, which the user can't see, or via direct communication with the identity provider, which requires credentials that the user isn't supposed to have.
+
+## Proposal
+
+- Extend oidc_cli security context generator to include calls to the v2 API
+- document the fact that the cli secret can be used for oidc authentication in general in the docs
+
+## Non-Goals
+
+- The UI doesn't really have to be changed since the cli secret is already a thing and used for docker login. Perhaps we can rename it to "user secret" or something similar.
+
+## Rationale
+
+This change can be seen as a security "downgrade", but since this way of authenticating is already present when using the docker cli, the vulnerability already exists (if it can be considered one).
+
+This change disables deprecates the authentication via id token.
+
+## Compatibility
+
+Authentication against the API via OIDC id token will be deprecated (but still possible), and removed in a future release.
+
+## Implementation
+
+A first version is already done, see https://github.com/goharbor/harbor/pull/20851 (still needs to be adjusted to only deprecate and not remove the id Token)
+
+## Open issues (if applicable)
+
+https://github.com/goharbor/harbor/issues/14236