Initially, the API key is stored in a file, which is untracked by Git. It was fine until when I found out that Heroku requires files to be published to be tracked by Git.
I didn’t want to expose my secret string to GitHub, which is very easily searchable as Jamie Taylor points out in his blog post, User Secrets – What Are They And Why Do I Need Them? (Jamie talks about how to use User Secrets, please refer to it if you are dealing with .NET Core).
So the alternative is to use an environment variable and make it available on Heroku.