There are three parts of security for API-s:
- Identity - who is making an API request?
- Authentication - are they really are who they say they are?
- Authorization – are they allowed to do what they are trying to do?
I always wasn't sure where to place API key in theses security issues and found this explenation. I reckon it's clear and informative.
Take Yahoo and Google maps – they are fairly open. They want to know who you are but they aren’t concerned what address you are looking up. So they use an API key to establish identity, but don’t authenticate or authorize. So if you use someone else’s API key, it’s not good but not a serious security breach. The API key lets them identify (most likely) who is making an API call so they can limit on the number of requests you can make. Identity is important here to keep service volume under control.