We all have done it at one point or another. But if I am ever in the middle of a technical presentation and mention “API Keys”, I get all types of dirty looks from security.
Notice that Square for instance strongly discourages API Keys for production.
On the AWS side (where I work) we always discourage long term use of access key/secret keys for accessing resources even though I realize it’s necessary for some integrations. Even then, most organizations also put a condition that you can only use it from known IP addresses.