How to protect dynamic data shared through API parameters?


In an app, users will save personal api keys that nobody else should see. However, the app is going to use this keys to call some external API services on behalf of the user.

Therefore, those api calls will have the users’ api keys as parameter. As a consequence, that parameter cannot be private, since we have to put dynamic data in it (the current user’s api key).

How can one protect the api keys in this case?