The users endpoint controller exposes a project's apiKey field to the logged-in user, provided they have permission for that endpoint. This only has impact if a project itself uses that specific field, Sulu itself does nothing with it and has no authentication per apiKey in its core.

A patch is released with Version 2.6.23 and 3.0.5.

Remove the field descriptor by patch the UserController.php File in Sulu Security Bundle.