Using Function Keys as an Authentication mechanism is not prescribed for the Production Scenario.
Here is the official documentation on Function Keys: https://learn.microsoft.com/en-us/azure/azure-functions/security-concepts?tabs=v4#function-access-keys
Notice in that documentation, it is clearly mentioned that Function Keys should not be shared around.
The options to secure an Azure Function App is defined here: https://learn.microsoft.com/en-us/azure/azure-functions/functions-bindings-http-webhook-trigger?tabs=in-process%2Cfunctionsv2&pivots=programming-language-csharp#secure-an-http-endpoint-in-production
If you are already on azure - then the best way is as follows:
- Create an Azure AD App registration for your Function App. Note down the client id
- Your clients or consumers of the Azure Function App will need to authenticate themselves with Azure AD and get a token. That token needs to be passed in the Authorization header (usually known as the Bearer token)
- Create an Azure Function App. Make your Function auth anonymous. Then use Jwt security packages to read the token and authenticate/authorize the user using the token.
This is the best practice.
If you dont want to use Azure AD i.e. the consumers or users of your applications are not internal to your Azure AD, you can go with Azure AD B2C for your application. Upto 50K active users in 1 Azure AD B2C account are free - no charges levied for you. Azure function app can be protected by Azure AD B2C also.
Do not share your function keys to any of your consumers of the function app api