I understand what you are saying. I truly do. Yet, you are not understanding what is being said here. No, it’s not bad design. Look at all the other services that offer “BYOK”. First, they are almost always open-source and allow for self-hosting. BYOK in a closed-source solution in itself is bad design and practice.
Regardless, let’s recap both scenarios:
Option A: If an API key needs to be sent each time this narrows the potential attack vectors compared to option B. The key is sent, used, and discarded.
Option B: If an API key is stored in a database it still needs to be sent initially. Now you need to spend resources and space to store the key, authorize the user, and perform the transaction. Again, You still need to send out the key. I’m not going to again mention all the additional, not different, additional attack vectors you have exposed yourself to and haven’t addressed once.
In an event in which your website is compromised and the keys were retrieved you are still screwed, and liable. Another massive difference is that you have a known treasure trove sitting there, begging to be captured. Why not just open up a store and have a chest bursting with gold coins sitting right outside the window. But I have security bars!
I once was on a construction site for a gas station. Had a full inventory (including cigarettes), security bars, all the anti-theft deterrents possible. It was attached to a car wash. Near the end of the construction a group of people went into the car wash, broke the wall down, and stole all the expensive merchandise. You are this gas station
But, whatever. I have tried. I hope you succeed and I truly hope you are never a victim of a breach because it would utterly devastate you. I know you have “thank you, I won’t do that”, but the fact that you prefix it with “no, that’s bad design” just means to me that you just want to leave the conversation without taking in anything at all. I honestly do want to see you succeed, and maybe I’m trying way too hard, but I hate knowing that someone is starting a new business and is already potentially setting themself on a path to devastation.
Please. Get insurance for your business, for your own sake, and watch their eyes bulge when you mention that you are storing thousands of dollars worth of API keys for free users.