An endpoint is using security mechanism which has the API key in the query string. This can lead to the API key leaking via mechanisms that routinely capture full request URLs such as application server logs, users' browser extensions, or third party analytics packages.
This rule applies at the API Specification level (OAS/Swagger).
Remediation
Switch to transporting the credentials in the request headers, or request body.
Example Attack Scenario
How to Identify with Example Scenario
How to Resolve with Example Scenario
How to Identify with Example Scenario
Find the text in bold to identify issues such as these in API specifications
How to Resolve with Example Scenario
Modify the text in bold to resolve issues such as these in API specifications