API keys and external communication services should adhere to international standards, simply because they are designed for exposure.

Therefore, in addition to following best practices for APIs, such as OpenAPI, the token itself should also be implemented securely.

JWT is currently the most popular standard, but the generated key seems more similar to an Opaque Access Token. If that's the case, it would be beneficial to include best practices for it as well.

It’s also important to include an HMAC/CRC32 and other relevant components in the API key. I would recommend using JWT for the ease of validation from a backend not coupled with NextJS, though there are several other approaches to consider.