Theme settings are available to the client JS app, so that means any visitor to your site could check the source code to see them. You almost certainly don’t want to put an API key there.
The exception would be for API keys that are designed for client-side use, and therefore aren’t a concern if anyone gets access to them (e.g. Giphy, Google Maps embeds, etc.)