Of course, I work for an API security/management vendor (Axway), so you might think “he would say that”. But, having an API Management strategy in place means that API Keys are protected at Runtime by an API Gateway, and issued at Design Time by an API Portal. What all of the recent API Key vulnerability victims have in common is a lack of an API Gateway in place, or an API Management strategy. An API Management strategy allows administrators to manage how API Keys are issued, typing them to the lifecycle of the API. In the screenshot below, we can see how an API Key can be issued for an app (in this case, the sample API Days voting app used at our API Security workshops at the API Days conference):