API keys are intended to be used by trusted devices, typically on your servers. This is primarily because unlike short-lived tokens, API keys are valid indefinitely. As such, the security ramifications of an API key being compromised are far more significant than tokens.
As non-TLS transports can be inspected by any network devices routing traffic between the client and our service, we are unwilling to service requests that use API keys as this presents an unacceptable security risk. We do however support basic authentication over TLS, or token authentication over non-TLS connections.