Έλα μου ντε...
Μάλλον γιατί δεν έχει γίνει αντιληπτό τι είναι το API key και τι το token.
Από τη wikipedia (τα bold είναι δική μου έμφαση):
An application programming interface key (API key) is a unique identifier used to authenticate a user, developer, or calling program to an API. However, they are typically used to authenticate a project with the API rather than a human user. Different platforms may implement and use API keys in different ways.
Επίσης από τη wikipedia:
(...) Α session identifier, session ID or session token is a piece of data that is used in network communications (often over HTTP) to identify a session, a series of related message exchanges. Session identifiers become necessary in cases where the communications infrastructure uses a stateless protocol such as HTTP. (...) A session ID is typically granted to a visitor on their first visit to a site. It is different from a user ID in that sessions are typically short-lived (they expire after a preset time of inactivity which may be minutes or hours) and may become invalid after a certain goal has been met (for example, once the buyer has finalized their order, he cannot use the same session ID to add more items).
Θα επανέλθω σχετικά με την ενδεδειγμένη χρήση αυτών των δύο στην περίπτωση της εργασίας σας.