Yes It was a dumb question… page 9 of the REST guide states that you have to use basic or token plus API key. I’ll not delete this in case someone else is looking.
API Key is not used as authentication mechanism. It is just a way to mark caller to better tracing. Also, it allows to assign Access Scopes to the API Key and to make exposed API surface smaller. For example, when you want to allow external application to use only some services/methods/BAQs.