`api_key` is not included when using `key_or_session_or_token`

Many routes in our openapi spec do not have `api_key` set in the `security` property. Those routes use the `key_or_session_or_token` auth property.

See @razor-x 's comments in this PR: https://github.com/seamapi/seam-connect/pull/5809