Treat API keys like money
An API key can grant access to real infrastructure, billing, or customer data. That makes it closer to a credential than a simple message. The safer you are with the transfer, the less likely it is to become a later incident.
The best practice is to avoid sending the key in plaintext at all. Encrypt it locally, keep the link short-lived, and share the password or key material through a separate channel if your workflow supports it.
Make the handoff temporary
After the recipient confirms they have the key, revoke or rotate it if the use case allows. That way, even if the link is forwarded or the message history is retained, the credential is no longer useful.
Short-lived secrets are easier to reason about. They reduce the window of exposure and make it simpler to explain to teammates why a secure sharing tool is worth using.