Just to confirm, you are asking about User API requests and not API requests that have been run with an API key that you have generated for users on your Discourse site’s Admin / API page. User API requests are highlighted in green in the screenshot below:
Details about what User API Keys are used for are here: User API keys specification.
Unless you have created an app that integrates with your Discourse site, the most likely explanations are either that users are logging into the site via the DiscourseHub App (https://play.google.com/store/apps/details?id=com.discourse&hl=en&gl=US&pli=1) or they are using an app similar to Fig - Native Discourse client for iOS to interact with the site.
This doesn’t answer all of your questions, but you can get a general overview of how the User API keys are being used with the following Data Explorer query:
SELECT * FROM user_api_keys
To get a list of applications that are making User API key requests to your site, and a count of the number of users who are making requests with each application:
SELECT
application_name,
COUNT(application_name) AS user_count
FROM user_api_keys
GROUP BY application_name
User API keys that are being used to connect from the DiscourseHub app will have their application_name
set to “Discourse - unknown”.
If a user makes use of a User API key to interact with the site, an Apps entry will be added to the Security tab of their preferences page:
The entry shows the scopes that have been granted to the app. It also allows you to revoke access to the app.
I am not seeing any way of expiring or revoking all User API keys from the Discourse UI. There is only the option to revoke one key at a time from users preferences pages. It would be possible to revoke all User API keys from the Rails console, but it’s probably worth investigating how the keys are being used first.