API Keys are essentially master keys to the API. There’s no way to restrict access by user account or app. You simply generate your key and then pass it as part of the API request. While this should be encrypted, all someone has to do is get access to this one key and the door is unlocked.
With OAuth, you start with an app which will generate a client and secret key. You use these in combination with a scope to generate a URL requiring a user to log into their account and approve the access levels defined by the scope. (And if they don’t have permissions for those scopes, then they won’t be able to authorize it.) You then retrieve an access token (requiring several identical bits of info from the original request) which expires and must be renewed (with a separate refresh token) every 24 8 hours. You only pass the secret with the original auth request, which reduces the possibility of it being intercepted. If someone manages to get your access token, the scope is hopefully restricted and will only last at most another 24 8 hours.
Essentially it’s much more difficult to crack and get unfettered access to the API. (It also allows you to create apps which can grant access to any Hub, while API tokens are tied to a specific Hub account.)
It should be possible to create developer portals which allow you to create temporary test portals. I’m not sure if they have complete API coverage, as I’ve never used one personally.
Edit: It was 8 hours, sorry.