API Security confusion

[John-Bosch]

In the API Security section, under Authentication and Authorisation (please, use the Australian english spelling), the dot points seem to suggest that both an Authorization header and an API key must be used. Is this the intention?

I do agree that just using an API key is not sufficient in most circumstances, but requiring both seems overkill.

[rahariya]

They both serve different purpose.

API keys are for projects i.e it provides an identification as to which project is making an api call, where as authentication is for users i.e. to check if calling application has been granted access to call the API.

I guess API Key should be included in every api call, where as Authorization header should be on case by case basis.

[ryanotella]

An API key can be delivered in an Authorization header. OAuth2 Client Credentials grant type will also use an Authorization header as the transport for non-human identity authorisation.