Right now, we only allow clients to send API keys to our Edge proxy using only the apikey query parameter.

This makes it difficult for clients to keep their APIkeys secret, they tend to leak keys on a regular basis. Both ourselves and some of our clients believe it's a good idea to support passing API keys in the headers, where they will benefit from the security of HTTPS, although we will also continue to support the key as a query parameter.

I started investigating how to do this correctly, and reading the HTTP specs I think a correct way to do this would be to use the authorization header, presumably something like:

Authorization : APIKEY your-api-key-here

I notice this is not the way that is suggested in your documentation. Is there a reason for that (eg. client ease-of-use)? What are the advantages / disadvantages using the apikey header vs the Authorization header?

I also notice that default status response for an invalid apikey parameter is HTTP 401, unauthorized. However, this requires that the response headers include a suggested authentication method, which is also not configured. Are there any consequences to not providing this header?