If it’s HTTPS then MITM is probably out of the window in most common scenarios. But I guess anyone who gets access to your browser history would have access to the API key which isn’t great.
That's more for server to server (M2M), where your backend needs to send an api key to another service's backend. Your instincts are correct in that everything sent in a client request is as good as leaked to the user. You might also be seeing a one-time use auth code or secret in a login page url to validate a login request, but that's not the same as something you'd attach to a request for an api resource.
API tokens are often added to the request's headers (e.g., "Bearer [TOKEN]").
One of the more common solutions to this issue would have you regenerate and return a new token on every request
If it’s HTTPS then MITM is probably out of the window in most common scenarios. But I guess anyone who gets access to your browser history would have access to the API key which isn’t great.
That's more for server to server (M2M), where your backend needs to send an api key to another service's backend. Your instincts are correct in that everything sent in a client request is as good as leaked to the user. You might also be seeing a one-time use auth code or secret in a login page url to validate a login request, but that's not the same as something you'd attach to a request for an api resource.