Using an IDP for REST/API users

I’m trying to allow an external IDP partner to manage their own credentials to access our APIs with automated clients (servers). Each partner could have hundreds or even thousands of servers that each would have unique identities.

I’m already running KeyCloak and set up the partner as an external IDP for interactive user logins. They control their own user accounts (in their own KeyCloak), and our KC is just a broker. Works perfectly for browsers.

I would like to do something similar for automated clients; partner servers that are accessing our APIs. The preferred method for authenticating these servers would seem to be client secrets, but that would require they create a client for each server, and I would have to setup each of those clients as IDP on my side.

The alternative was to just have them create plain regular users on their side, and have the servers login with username and passwords. This seems like a bad idea.

Is there some better way to organize this?