With programming there's always lots of different ways to do something!
One way - API access via an http request, not a dedicated node. Save API key in a global context variable.
The first (ie leftmost) flow in your editor sets the context variable
[{"id":"6278fa1f309c5664","type":"tab","label":"The very first flow","disabled":false,"info":"","env":[]},{"id":"0e40150057777aa0","type":"inject","z":"6278fa1f309c5664","name":"Inject at startup","props":[{"p":"payload"}],"repeat":"","crontab":"","once":false,"onceDelay":0.1,"topic":"","payload":"","payloadType":"str","x":200,"y":60,"wires":[["13e97f474aee0641"]]},{"id":"13e97f474aee0641","type":"change","z":"6278fa1f309c5664","name":"","rules":[{"t":"set","p":"myAPIkey","pt":"global","to":"1234567890abcdefghijklmnoq","tot":"str"}],"action":"","property":"","from":"","to":"","reg":false,"x":420,"y":60,"wires":[[]]}]
Here is an export of my complete Openweathermap flow.
You can see that I'm using an http request not a dedicated node.
You can import this flow and run it but because you don't have [my version of] the first flow with the real API key, OWM sends you an error message error 401.
[{"id":"800e3b2905246688","type":"tab","label":"OpenWeatherMap","disabled":false,"info":"","env":[]},{"id":"bd1120c9a023f3b5","type":"group","z":"800e3b2905246688","name":"Openweathermap","style":{"label":true,"fill":"#e3f3d3","fill-opacity":"0.57"},"nodes":["c342d046030f8660","28479ea02db80e49","df2c038951f8ea96","d599a16e7d6fead7"],"x":54,"y":59,"w":732,"h":82},{"id":"c342d046030f8660","type":"function","z":"800e3b2905246688","g":"bd1120c9a023f3b5","name":"Setup","func":"const owmid = global.get(\"myAPIkey\") || \"NoAPIkey\"\n\nmsg.url = \"https://api.openweathermap.org/data/3.0/onecall?\"\nmsg.url += \"lat=\" + msg.payload.lat + \"&lon=\" + msg.payload.long + \"&units=metric\"\nmsg.url += \"&appid=\" + owmid\nreturn msg;\n\n","outputs":1,"timeout":"","noerr":0,"initialize":"","finalize":"","libs":[],"x":290,"y":100,"wires":[["28479ea02db80e49"]]},{"id":"28479ea02db80e49","type":"http request","z":"800e3b2905246688","g":"bd1120c9a023f3b5","name":"Openweathermap","method":"GET","ret":"obj","paytoqs":"ignore","url":"","tls":"","persist":false,"proxy":"","insecureHTTPParser":false,"authType":"","senderr":false,"headers":[],"x":470,"y":100,"wires":[["d599a16e7d6fead7"]]},{"id":"df2c038951f8ea96","type":"inject","z":"800e3b2905246688","g":"bd1120c9a023f3b5","name":"","props":[{"p":"payload"}],"repeat":"","crontab":"","once":false,"onceDelay":0.1,"topic":"","payload":"{\"location\": \"Peterborough\", \"lat\": 52.3611199, \"long\": -1.992723}","payloadType":"json","x":150,"y":100,"wires":[["c342d046030f8660"]]},{"id":"d599a16e7d6fead7","type":"debug","z":"800e3b2905246688","g":"bd1120c9a023f3b5","name":"debug 2577","active":true,"tosidebar":true,"console":false,"tostatus":false,"complete":"false","statusVal":"","statusType":"auto","x":670,"y":100,"wires":[]}]
As long as I never post the real first flow, nobody can possibly see my API key.
Note that if I use a well designed dedicated node such as node-red-node-openweathermap instead, the API key that I set in the config is stored in flows_cred.json and it is never included with an export of the flow.
Either way, your API key is kept confidential.