<p>Is it not good idea to segregate payload content of API with authentication details? So that during implementation of API we could reject requests in the API gateway level if it does not have authentication header or invalid key type. This will also avoid to reduce load on the service of handling invalid requests. OR </p><p>Since api_dev_key is unique and sensitive to each client. You want to hide it as part of payload for avoiding accidental leakage of key.</p><p><br></p><p><span style="background-color: rgba(145, 158, 171, 0.08);">Let me know your thoughts on it.</span></p>