API keys are to identify the user requesting the data.
Lets say you are using some Google API. When you go to their console to generate the API, Google stores the key it gives you against your user id in their database. So next time when you supply the key in your API call to Google, they can do a lookup to see who the key belongs to and if it can't find the user or if the user is not authorised to access that content, they send an error in the response.