We use very long secured API keys, which works fine with the 3.x version of the package but version 4.x breaks this, as the key seems to be appended to the URL regardless how long it is. It basically reintroduces this: #319. I think version 4 should also sent long api keys via the POST body.