I also hate this state of authentication on the web, but passwords have problems as mentioned in the other comment. API keys are also just another kind of passwords, so they aren't very good either. I think X.509 client authentication would be better, especially for connections that insist on using TLS.

(However, for some uses, signed messages which can be verified by anyone would be better, in case the message is intended to be public anyways; this is independent of the protocol.)