I have found that type checking for `api_key` is insufficient in rubygems.org's source code.
https://github.com/rubygems/rubygems.org/blob/master/app/controllers/application_controller.rb#L63
```ruby
def authenticate_with_api_key
api_key = request.headers["Authorization"] || params[:api_key]
…