So, just spit-balling here: I don’t know very much about configuring nginx, so maybe this isn’t possible.
How about a /api/ location that would require HTTP auth using the API key, and then rewrites the URL to the normal URL, and doesn’t have a rate limit?
You could perhaps write to the auth config file when API keys are generated or revoked.