diff --git a/.changeset/neat-starfishes-fail.md b/.changeset/neat-starfishes-fail.md
new file mode 100644
index 00000000..d08a6316
--- /dev/null
+++ b/.changeset/neat-starfishes-fail.md
@@ -0,0 +1,5 @@
+---
+"@google/generative-ai": patch
+---
+
+Send API key in header instead of query param.
diff --git a/packages/main/src/requests/request.test.ts b/packages/main/src/requests/request.test.ts
index 1252e6e8..2f2f3e51 100644
--- a/packages/main/src/requests/request.test.ts
+++ b/packages/main/src/requests/request.test.ts
@@ -44,6 +44,7 @@ describe("request methods", () => {
         true,
       );
       expect(url.toString()).to.include("generateContent");
+      expect(url.toString()).to.not.include("key");
       expect(url.toString()).to.include("alt=sse");
     });
     it("non-stream", async () => {
@@ -54,18 +55,9 @@ describe("request methods", () => {
         false,
       );
       expect(url.toString()).to.include("generateContent");
-      expect(url.toString()).to.include("key=key");
+      expect(url.toString()).to.not.include("key");
       expect(url.toString()).to.not.include("alt=sse");
     });
-    it("obscured", async () => {
-      const url = new RequestUrl(
-        "model-name",
-        Task.GENERATE_CONTENT,
-        "key",
-        false,
-      );
-      expect(url.toObscuredString()).to.include("key=__API_KEY__");
-    });
   });
   describe("makeRequest", () => {
     it("no error", async () => {
@@ -83,7 +75,7 @@ describe("request methods", () => {
         statusText: "Server Error",
       } as Response);
       await expect(makeRequest(fakeRequestUrl, "")).to.be.rejectedWith(
-        /key=__API_KEY__.*500 Server Error/,
+        /500 Server Error/,
       );
       expect(fetchStub).to.be.calledOnce;
     });
@@ -95,7 +87,7 @@ describe("request methods", () => {
         json: () => Promise.resolve({ error: { message: "extra info" } }),
       } as Response);
       await expect(makeRequest(fakeRequestUrl, "")).to.be.rejectedWith(
-        /key=__API_KEY__.*500 Server Error.*extra info/,
+        /500 Server Error.*extra info/,
       );
       expect(fetchStub).to.be.calledOnce;
     });
diff --git a/packages/main/src/requests/request.ts b/packages/main/src/requests/request.ts
index a646bcf1..c814dbe1 100644
--- a/packages/main/src/requests/request.ts
+++ b/packages/main/src/requests/request.ts
@@ -43,18 +43,13 @@ export class RequestUrl {
     public apiKey: string,
     public stream: boolean,
   ) {}
-  toString(apiKeyInUrl = this.apiKey): string {
-    let url =
-      `${BASE_URL}/${API_VERSION}` +
-      `/models/${this.model}:${this.task}?key=${apiKeyInUrl}`;
+  toString(): string {
+    let url = `${BASE_URL}/${API_VERSION}/models/${this.model}:${this.task}`;
     if (this.stream) {
-      url += "&alt=sse";
+      url += "?alt=sse";
     }
     return url;
   }
-  toObscuredString(): string {
-    return this.toString("__API_KEY__");
-  }
 }
 
 /**
@@ -75,6 +70,7 @@ export async function makeRequest(
       headers: {
         "Content-Type": "application/json",
         "x-goog-api-client": getClientHeaders(),
+        "x-goog-api-key": url.apiKey,
       },
       body,
     });
@@ -93,7 +89,7 @@ export async function makeRequest(
     }
   } catch (e) {
     const err = new GoogleGenerativeAIError(
-      `Error fetching from ${url.toObscuredString()}: ${e.message}`,
+      `Error fetching from ${url.toString()}: ${e.message}`,
     );
     err.stack = e.stack;
     throw err;