Secure & recommended way to use Redash API

We have self hosted redash which we are trying to use in our own application. there are two ways to access API from our application :

Approach #1. GET ‘https://selfhostedredash.in.mydomain.com/api/queries?api_key=xxxxxxxxxxxxx

Approach #2. GET --header ‘Accept: application/json’ --header 'Authorization: Key xxxxxxxxx’ ‘https://selfhostedredash.in.mydomain.com/api/queries

My developers raise concern is the way it has been used in case #1 (which is default with redash), we are putting sensitive information in the URL, i believe api_key is sensitive information.
Approach #2 required customisation i believe in redash codebase, please correct me if i am wrong here.

Please help me to finalise the way API could be used.
Thanks in advance

Approach #2 doesn’t need customization. Redash already allows this.

The API key in Approach #1 is unique to the query (and can be regenerated if compromised). It doesn’t grant access to any other resources. In some ways it seems safer than Approach #2, but less convenient.

Thank for the reply.

below link also help me to understand the API a bit more.

The docs are helpful too.