The only way someone is gonna get that API key is if the player launching the game figures out what the key is, by looking in the environment, and gives it to someone else.
That's why I mentioned you can get fancy and prevent replay attacks by verifying the API key against a service that YOU own. You can prevent it from being used again by storing it in a database somewhere or something. Get creative.