I guess database is better than dropping it in a config file, but still not very secure. Would prefer Azure Key Vault, but that's a step too far I guess. Consider Environment Variables though so you can have a different API key per environment.

umbracoKeyValue

will work but just know it's made for migrations not for this purpose 🙂 I can't predict if we in the future might be looking for only valid migration key-values there, for example.