at the moment when using the parameter --default-credentials-userkey this default to a header key userkey in query (to configure anonymous policy). If you are actually mapping an already protected API (which has its own key header) this should be configurable so that instead of configuring anonymous policy, a header modification policy is configured, according to the protection inherited from the API