I also would think that client certificates would help better. Then, you do not need API keys, as well as other benefits, such as the end user can create their own passworded private keys if wanted (without ever sending the password to the server), the server cannot steal authentication, it can be used with multiple protocols (not only HTTP(S)), the end user can issue more constrained certificates to themself and others (which can improve security as well as other benefits), it uses DER which is a better format than JSON (in my opinion), the certificate can be revoked, the client can issue a certificate to the server (with restricted permissions, and possibly short validity time) to operate on the client's behalf if wanted, etc.