How exactly does this work? If the user is sending the API request then the network logs would display the unencrypted information.
If I understand correctly the user would store the encrypted key locally. The user would send the key & password so the server can decrypt it and make the call? So you don’t have to store their key? But you say the API code is obfuscated? I’m assuming it’s the code to your API?
So you have a universal key? I don’t understand. How are you identifying your users?