RFC - This is what I see in the RFC7235 ([link](Reference - rfc7235))
I asked this question internally -
Question - Is API Key used for Authentication or Authorization, when combined with basic authentication credentials? It does identify the consumer, but the question is whether it plays a part in authentication/authorization.
Scenario - In a scenario where valid credentials are passed but with an invalid API Key, the GW responds with 401 Unauthorized. Is 401 accurate here, or must it be a different code?
The following response is courtesy of @John_Carter4 -
"Important to remember that the API key identifies the consumer (i.e. app) not necessarily the user, so some other form of authentication should be used for authorization.
As to the response code from a security perspective we don’t want to give away too much information so a 401 unauthorized is fine. We don’t want a hacker to be able to determine if an API key is correct but not the login etc. etc."