In both cases, the API key will be passed unencrypted. Therefore, both of them are unsafe if you do not use HTTPS.
In practice, the HTTP header is a bit more secure because -
- URL stored in browser history
- URL stored in server-side access logs
In addition: the REST API over the Internet cannot be protected unless you ask the user to log in with their credentials. Anyone can easily identify the API key and make requests to your server.
EDIT: In response to @segfault comments -
A website user does not usually enter an API key. They enter their username and password, and it is sold to get an API key or access to a token, as it is usually called.
If you force your users to enter an API key instead of a username and password, this will be safe. But, as I said, I have not seen any serious applications.
More specifically, I meant: "If the backend API expects an API key, and you call AJAX calls from the browser, and you do not request any credentials from the user, you are insecure."