I'm not sure the best way to generate API keys, but you can use regular credentials and add a Security Restrict option on the APIs to keep them from being available publicly. There's an option to define Permissions if you want to limit it to certain users.
Also, I'm guessing you're going to want to provide standard REST method options, so please vote for this feature request. Right now Wappler only supports GET and POST, so you've got to build workarounds to allow for deletes and updates, which isn't following REST standards.