Don't put your API keys as parameters in your URL. Great way to have them land in server logs, your shell history, etc. You're trusting no one with decryption capabilities is doing logging and inspection correctly, which you shouldn't.