I’m an admin on a discourse instance and created an API key. When I impersonated a moderator and then went to the admin page about my actual admin user, I could see the API key there. I expect that to be a security issue.
I can confirm this issue. Seems to me that a moderator shouldn’t be able to access any API key.
I first suspected this to be an impersonation artefact, but when I create a moderator and log in to that account directly, I can see API keys for all users including admin as well.