I’m an admin on a discourse instance and created an API key. When I impersonated a moderator and then went to the admin page about my actual admin user, I could see the API key there. I expect that to be a security issue.
How much do I need to trust my moderators?
I can confirm this issue. Seems to me that a moderator shouldn’t be able to access any API key.
I first suspected this to be an impersonation artefact, but when I create a moderator and log in to that account directly, I can see API keys for all users including admin as well.
Unless it is assigned to their own username. 
(that is my only caveat)
Probably an oversight, we should patch this up for moderators vs admins @eviltrout.
I’ve made it so moderators can’t see the API keys:
https://github.com/discourse/discourse/commit/e8424bd54e4c7d1bff5f8c3f87f931648ee94020
Also backported fix to stable + beta branches.