We're going to expose a custom built API (.NET) through Azure API Management. We want to conform to well-known standards where ever possible, so we don't surprise our API consumers. The API is secured through an API key which users generate from APIM's Developer Portal.
My understanding is that the Authorization header should be used for authentication and authorization purposes.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Authorization
But strangely, API-Key is not included as an authentication scheme.
https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml#authschemes
Should API consumers use an authorization header to authenticate?
E.g. Authorization: API-Key xxx-xxx
Or a custom header.
E.g. my-key:xxx-xxx
Technically, you shouldn't need any API-key if you have a token in the authorization header. I assume API-key/client and secret key are already used to generate a token. When the client sends token via an authorization header, the API owner validates your token and returns a response.