Prefer the header: query strings tend to end up in access logs, proxies and
browser history, so ?key= is best kept for quick tests and environments
where setting headers is inconvenient.
Keep the key out of your source code — read it from an environment variable
(the official Python wrapper picks up LEAKCHECK_APIKEY automatically).
Requests without the header are rejected with 401 Missing X-API-Key, and
requests with a wrong key with 400 Invalid X-API-Key — see
Errors for the full list.