API keys are meant to identify clients (the calling application), not individual users. They should be treated as sensitive secrets.

• Do not send API keys in the URL query string. URLs are logged in server access logs, browser history, and proxy logs. Always use the Authorization header or a custom header (e.g., X-Api-Key).
• Implement key rotation mechanisms and allow clients to have multiple active keys temporarily to facilitate zero-downtime rotation.
• Bind API keys to specific IP allowlists or domains when possible.