An API may restrict some or all of its methods to require API keys. It makes sense to do this if:
You do want to block anonymous traffic. API keys identify an application's traffic for the API producer, in case the application developer needs to work with the API producer to debug an issue or show their application's usage.
You want to control the number of calls made to your API.
You want to identify usage patterns in your API's traffic. You can see application usage in APIs & services.
You want to filter logs by API key.
API keys cannot be used for:
Identifying individual users — API keys don't identify users, they identify projects.
Secure authorization.
Identifying the creators of a project.
Service Infrastructure doesn't provide a method to directly look up projects from API keys.
https://cloud.google.com/endpoints/docs/openapi/when-why-api-key