A key can be sent using one of two methods: as a request header or as a parameter in the request URL. For security reasons, sending API keys as a request header is the preferred method: while still not secure if sent over an unencrypted connection, it is less likely to be logged as part of the URL.
Note: If HTTP MUST be used (the use of HTTP instead of HTTPS is strongly discouraged), for security reasons, sending API keys in the request header, and not the URL, is the preferred method. While still not secure if sent over an unencrypted connection, headers are less likely to be logged as part of the URL and thus are just slightly less insecure.