Place API key in Headers or URL

It should be put in the HTTP Authorization header. The spec is here https://www.rfc-editor.org/rfc/rfc7235


If you want an argument that might appeal to a boss: Think about what a URL is. URLs are public. People copy and paste them. They share them, they put them on advertisements. Nothing prevents someone (knowingly or not) from mailing that URL around for other people to use. If your API key is in that URL, everybody has it.