We would do it as an oauth app on our side. Also the key doesnt need to be the users own key. You could set budgets for keys as well.