It would be greatly beneficial to have more flexibility with API keys, specifically the ability to grant users one or more API keys that could expire, be RW or RO, and possibly named.
The attached screenshot is from an IP Address tracking system named "Netbox." In my opinion, it has a fantastic API setup with all of the options I mentioned above. The API key is passed with the REST request in the Authorization HTTP header.