Hello Armaghan!

Thanks a lot for your response and intension to help with all points described in thread-root.

In reply to your answer there are two things from my side:

In regard to "ambiguity" topic, I got the point and cannot argue with that, it makes sense. Therefore anything related to that we will discuss and handle on our side.

In regard to "authentication" topic, generally, as You mentioned in your reply, key rotation is the best solution in this case. I would suggest to change constant api_key to JWT (JSON Web Token) which would be:
1) Generated on session instantiation (login)
2) Kept somewhere in DB or any other persistance and easy-accessible place
3) Invalidated along with session
4) * also topic of refresh-token may come in handy

Speaking of best practices - please, check out this link telling about authentication standard: https://auth0.com/intro-to-iam/what-is-oauth-2 (other topics on this resource may be useful).
To apply OAuth approach to your application You can either develop it by yourself or use third-party solution.

Although security is important topic, please, consider that as RMA - we are going to use IP whitelist protection strategy which works fine for us. Therefore no pressure from us in regard to authentication topic.

Looking forward to hear about any changes done to SQL-Ledger APIs in regard to points from root-thread.

Good luck and best regards!